moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

Added OpenSSL support for --crl-file

Browse Source
This commit is contained in:
Tim Rühsen 2014-11-11 17:56:09 +01:00
parent 176c2b17fc
commit cf4991d602
7 changed files with 64 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ChangeLog
View File

@ -1,3 +1,7 @@
2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de>
* openssl.c (ssl_init): Load CRL file given by --crl-file
2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de>
* http.c (gethttp): Always add Accept-Encoding: identity

16
src/openssl.c
View File

@ -254,6 +254,22 @@ ssl_init (void)
SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
if (opt.crl_file)
{
X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx);
X509_LOOKUP *lookup;
int rc;
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ()))
|| (!(rc = X509_load_crl_file (lookup, opt.crl_file, X509_FILETYPE_PEM))))
{
logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc);
return false;
}
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
certificate is invalid. We verify the certificate separately in
ssl_check_certificate, which provides much better diagnostics

4
testenv/ChangeLog
View File

@ -1,3 +1,7 @@
2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de>
* recreated the certs and the CRL file, also amended certs/README
2014-11-10 Tim Ruehsen <tim.ruehsen@gmx.de>
* removed certs/wget-cert.pem

23
testenv/certs/README
View File

@ -1,6 +1,7 @@
To create the server RSA private key:
$ certtool --generate-privkey --outfile server-key.pem --rsa
To create a self signed CA certificate:
$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
@ -14,7 +15,7 @@ Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6079996172146959675):
Enter the certificate's serial number in decimal (default: 6080487640893163573):
Activation/Expiration time.
The certificate will expire in (days): -1
@ -24,13 +25,11 @@ Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: 127.0.0.1
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N):
@ -51,24 +50,23 @@ Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6079998890988883856):
Enter the certificate's serial number in decimal (default: 6080488276853553635):
Activation/Expiration time.
The certificate will expire in (days): -1
Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate: localhost
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: 127.0.0.1
Enter a dnsName of the subject of the certificate: localhost
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (Y/n):
Will the certificate be used for encryption (not required for TLS)? (Y/n):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
To create a CRL for the server certificate:
@ -78,4 +76,3 @@ Update times.
The certificate will expire in (days): -1
CRL Number (default: 6080006793650397145):

23
testenv/certs/ca-cert.pem
View File

@ -1,21 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIIVGB8TiyN5TswDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
MIIDPjCCAiagAwIBAgIIVGI7SyiXCDUwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0
MTExMDA4NTAyNFoYDzk5OTkxMjMxMjM1OTU5WjAwMREwDwYDVQQDEwhHTlUgV2dl
MTExMTE2MzczM1oYDzk5OTkxMjMxMjM1OTU5WjAwMREwDwYDVQQDEwhHTlUgV2dl
dDENMAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAv2IR1/gsaJsn+egtVFbMMMbivK+eVzPY8wEXb2flpe9a
Kkwz824nSSrWfRigQmf/ODkNlK2x91kppfPmWkClUREQB3I4d/sHFnzqCkFKmNwt
VT4DsL47VumgZF6ZjSqTYQD3MDH3VhFj1iKrRMM/aCZXwntD+67sKw6UPXfFbfUO
Recpb7fCZPZFVFYStxgcF7cyH+DADLX5QCEjiLYH1es6FXrdw+ypgwBl+HuLkQ/4
gE0JLQK5PAKSYeLy0JEBUPovkMXT+r9aPkQBF/9WD6uUPia0ERHbMIT0My84hBrG
9d5u5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABo3gwdjAPBgNVHRMB
Af8EBTADAQH/MBQGA1UdEQQNMAuCCTEyNy4wLjAuMTAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwkwDwYDVR0PAQH/BAUDAwemADAdBgNVHQ4EFgQU8z5OOIRK
qb7Bb8dho1DabimL61QwDQYJKoZIhvcNAQELBQADggEBAEyG0E8RrSNfv9ZtqidB
9j660p8CynFDsX+hjfR1Sy4v5aUxxaA1spj/L5ioQXgjFKfht3zyPQBwLDSWNb41
1yaGrPjwDfal/CWY1lJHGZGiEuxtZ32mMYNSUNBQk0t2P33NssdjdtJ8Tm9BZwqH
/NxHTi00MTQlG4L01KSAf7wJtapA1Ad6u6WAU+316EuTQ0eh7owOugaSIpCFgwQA
hq3SkUW8P2hL9ZYX0lGzaqE9oKm9dIvpfVPrWhbhnGMPR2X/7B8IgK84r3Eb1CF2
3nysbcWH8BSxpN0d8oYPhUFi3jyV9InqFvEPxyMQ9MmtjDb4JpA6tkL6UwP77br6
Th0=
9d5u5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABo1gwVjAPBgNVHRMB
Af8EBTADAQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHBgAw
HQYDVR0OBBYEFPM+TjiESqm+wW/HYaNQ2m4pi+tUMA0GCSqGSIb3DQEBCwUAA4IB
AQCWKV1Txo3xytRSO1PwWK9ce5FhvQW9mubuuWmbEnQt9JaOhO1Og6ZmdPDlAQeo
m0CJZZ0VNeodoBXPGopy3VyzF4ZzUR9leGk3sb1qTSoDCvJd/zLrfukHKugtwuK0
b1fPnEjBjQ6gQI21coc1tmyX8Qsm7of5n+Ji601WG+FiVmmdEsCjmA/eAvwSbu1E
cAVH476KUt4CrpVPQQVqzFPDz8i4iw/P+Jo+iNmL5S72OG2GfkSJq3XkUYa509W6
N+8c3p4y0q/PcQ92s1OIHyEPZFRFhm4xw0sHkhD2KVoHseHZjCoYn4/lIzMPnJ6v
EfZUJQXndeJnffbthaUp8Ea2
-----END CERTIFICATE-----

20
testenv/certs/server-cert.pem
View File

@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgIIVGB+xzQpT5AwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
MIIDgDCCAmigAwIBAgIIVGI73zrIeeMwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0
MTExMDA5MDA1OVoYDzk5OTkxMjMxMjM1OTU5WjAxMRIwEAYDVQQDEwkxMjcuMC4w
MTExMTE2NDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAxMRIwEAYDVQQDEwkxMjcuMC4w
LjExDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMjC3Gt55EfStl6mE371+pD3/cpR5MLxkdbBss5MlIP2
TDhiPOItLXml8oxs4BjUm3wfn3GV9iJLmbzbIWL+0kbRkQ2LCPKUf+Cln3z2ZE+r
@ -9,13 +9,13 @@ XwdWlT8gVfv51Opfkp2lLDVUqLfNKRGQgivjSCmLqY2LqeB0SaVNvuaD3EpqZyIH
0E5SZgjqBHgRRtvGkcy0rOmp5SI2NASLugUioXa9OLWjpYDwodsd3ERlL0DJ1aJW
8TC8Tqix4i0osWzar+LXBIin0Qvar9/uRHN0p1kq3p0XgNHKqWpiTT54+WYx7Pem
v4qRXz11swiJzUL+Pw1DurQ9smbzDgAsz7V2FJnUeCcCAwEAAaOBmDCBlTAMBgNV
HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdEQQYMBaCCWxvY2Fs
aG9zdIIJMTI3LjAuMC4xMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323L
HRMBAf8EAjAAMB8GA1UdEQQYMBaCCTEyNy4wLjAuMYIJbG9jYWxob3N0MBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323L
JbKTM/tMKSt0qlUqewbnMB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tU
MA0GCSqGSIb3DQEBCwUAA4IBAQBeRV2kMWuksna/E6hqcQ5C76UFq9RDcvxIoJQ/
2ANywD+EcQYyBNSSL+yyv6/Pp9gXlqjciYdb3OgdPb++3y/UC6IxkeFv1uNDwJfS
HVX9avm12CXfZt4zMrq1GQX4gjJ9jkItMCY4atdyAQROGnzDWzNuwSWaasL3oUPT
qDUMHZR2kH2cIr9S07YT/8RslMdlMgeI4Y9JCGuRspgxwnDtM5L3vZEnGsud7DSa
1/8LGiYydNIpCikwd2Pzdwp9G8mm7AExU3AsXPCyYxDWWjfyhBjTY+5aR57igNeB
CaP+xoDNilbJ/RM+0Ygv/ue7gY49f8nESQP+0HQVborwl3h2
MA0GCSqGSIb3DQEBCwUAA4IBAQCDmuSD4IGmn0UQ5jhGQquh92Iu59j64Rrg7EIM
zoppciyYR8gDUutOI9CEisxJz6umvAdOo5L981gcFaBv6hHWaE/krAZccR+ZXZP6
fI9btO8My8O63fYcd2KkLEFqvKDF43i01S2LrqXdPo3uELbFZwxCmUKsexFGsoW1
CbXbRjnS7w/f72myRmvBeDiNMuGfe1lb4IflybH3DMlKC7i0AN1JKglp+IKn5XAE
neWR03i3UaYJsibIxj0DkTS+hVPu5MXQ9RlF5CkRdFKjGinLE/u70XyAyx0/IeAN
e7c2MJvpdfRmTXm2ew4sNyK9RXo7Bv0Yqkl65iMscF8LNnxL
-----END CERTIFICATE-----

18
testenv/certs/server-crl.pem
View File

@ -1,12 +1,12 @@
-----BEGIN X509 CRL-----
MIIB1DCBvQIBATANBgkqhkiG9w0BAQsFADAwMREwDwYDVQQDEwhHTlUgV2dldDEN
MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VGA8yMDE0MTExMDA5MzUyMVoYDzk5
OTkxMjMxMjM1OTU5WjAdMBsCCFRgfsc0KU+QGA8yMDE0MTExMDA5MzUyMVqgNjA0
MB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMBEGA1UdFAQKAghUYIba
N/WqiDANBgkqhkiG9w0BAQsFAAOCAQEALV862K6ErgDdHKVag2mibcyguI83mPUm
AhkbZ0vUFIjf39kDwXfBdGjQPPRilAM+2nraN7UTZs6y+2UDTbavaOpn5YFEoP5f
Z6AN+PMEVi8QfkpQHIRJPVg1noJMBU+KgqGvzg7pCpzD8WyrH/4AAmuQoD18YndP
SQGmTvsap3nCQPtCcGnONbdvqlHF47toy9nYz+4auS+RpEPiUa9YT5zNOwQwlQg5
cgdbkheEqN3SLeTAxvDSVaHbVEr2U7rsR8ckMNXE0xgNuDmvIiTiqps+e2oE88Ii
421c+VGZE4LE5NeETIk8V4drxbdYZpwRB2/BzmDwKhMAB8WBIH2sFA==
MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VGA8yMDE0MTExMTE2NDU1NFoYDzk5
OTkxMjMxMjM1OTU5WjAdMBsCCFRiO986yHnjGA8yMDE0MTExMTE2NDU1NFqgNjA0
MB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMBEGA1UdFAQKAghUYj1E
KHs9ijANBgkqhkiG9w0BAQsFAAOCAQEAZgwqs1VOFG39dFHHMXvBr4eJfhwiG4bC
cL6IvLhvl9ikcyQMHrpOBtNjkCtgclSbJjjTDdera1+zuCWE0WBOJ4mojYdAIOhR
QvSwp4NwAtibu2F/fjeXoo+LEpcRKtLvAotB30eCZ1OPrijsa/HxFILOLlayjns8
wM4RmQC4o43y1G/1jqM8hGDg4Wz0j1URVuyP+pU55JpubV5LlExy3gIRwevD2lam
q3hiighenJYFO3HGZkYT2SIoSpXZnQqKPJ4HwRBSg/cjOpc1y1lIIvKhmk+Cut6M
+S5HL4pIk8vGYg57nTfOOkj1goqFkfU0DBqvVAZj02ay/VIDu61T1g==
-----END X509 CRL-----