moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

Added OpenSSL support for --crl-file

Browse Source
This commit is contained in:
Tim Rühsen 2014-11-11 17:56:09 +01:00
parent 176c2b17fc
commit cf4991d602
7 changed files with 64 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/ChangeLog
View File

@ -1,3 +1,7 @@
2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de>
* openssl.c (ssl_init): Load CRL file given by --crl-file
2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de> 2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de>
* http.c (gethttp): Always add Accept-Encoding: identity * http.c (gethttp): Always add Accept-Encoding: identity

16
src/openssl.c
View File

@ -254,6 +254,22 @@ ssl_init (void)
SSL_CTX_set_default_verify_paths (ssl_ctx); SSL_CTX_set_default_verify_paths (ssl_ctx);
SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory); SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
if (opt.crl_file)
{
X509_STORE *store = SSL_CTX_get_cert_store (ssl_ctx);
X509_LOOKUP *lookup;
int rc;
if (!(lookup = X509_STORE_add_lookup (store, X509_LOOKUP_file ()))
|| (!(rc = X509_load_crl_file (lookup, opt.crl_file, X509_FILETYPE_PEM))))
{
logprintf (LOG_NOTQUIET, _("ERROR: Failed to load CRL file '%s': (%d)\n"), opt.crl_file, rc);
return false;
}
X509_STORE_set_flags (store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the /* SSL_VERIFY_NONE instructs OpenSSL not to abort SSL_connect if the
certificate is invalid. We verify the certificate separately in certificate is invalid. We verify the certificate separately in
ssl_check_certificate, which provides much better diagnostics ssl_check_certificate, which provides much better diagnostics

4
testenv/ChangeLog
View File

@ -1,3 +1,7 @@
2014-11-11 Tim Ruehsen <tim.ruehsen@gmx.de>
* recreated the certs and the CRL file, also amended certs/README
2014-11-10 Tim Ruehsen <tim.ruehsen@gmx.de> 2014-11-10 Tim Ruehsen <tim.ruehsen@gmx.de>
* removed certs/wget-cert.pem * removed certs/wget-cert.pem

23
testenv/certs/README
View File

@ -1,6 +1,7 @@
To create the server RSA private key: To create the server RSA private key:
$ certtool --generate-privkey --outfile server-key.pem --rsa $ certtool --generate-privkey --outfile server-key.pem --rsa
To create a self signed CA certificate: To create a self signed CA certificate:
$ certtool --generate-privkey --outfile ca-key.pem $ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
@ -14,7 +15,7 @@ Country name (2 chars):
Enter the subject's domain component (DC): Enter the subject's domain component (DC):
This field should not be used in new certificates. This field should not be used in new certificates.
E-mail: E-mail:
Enter the certificate's serial number in decimal (default: 6079996172146959675): Enter the certificate's serial number in decimal (default: 6080487640893163573):
Activation/Expiration time. Activation/Expiration time.
The certificate will expire in (days): -1 The certificate will expire in (days): -1
@ -24,13 +25,11 @@ Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N): Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate: 127.0.0.1
Enter a dnsName of the subject of the certificate: Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate: Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate: Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): Enter the e-mail of the subject of the certificate:
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): Will the certificate be used to sign code? (y/N):
@ -51,24 +50,23 @@ Country name (2 chars):
Enter the subject's domain component (DC): Enter the subject's domain component (DC):
This field should not be used in new certificates. This field should not be used in new certificates.
E-mail: E-mail:
Enter the certificate's serial number in decimal (default: 6079998890988883856): Enter the certificate's serial number in decimal (default: 6080488276853553635):
Activation/Expiration time. Activation/Expiration time.
The certificate will expire in (days): -1 The certificate will expire in (days): -1
Extensions. Extensions.
Does the certificate belong to an authority? (y/N): Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N): Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: localhost
Enter a dnsName of the subject of the certificate: 127.0.0.1 Enter a dnsName of the subject of the certificate: 127.0.0.1
Enter a dnsName of the subject of the certificate: localhost
Enter a dnsName of the subject of the certificate: Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate: Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate: Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for signing (required for TLS)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used for encryption (not required for TLS)? (Y/n):
To create a CRL for the server certificate: To create a CRL for the server certificate:
@ -78,4 +76,3 @@ Update times.
The certificate will expire in (days): -1 The certificate will expire in (days): -1
CRL Number (default: 6080006793650397145): CRL Number (default: 6080006793650397145):

23
testenv/certs/ca-cert.pem
View File

@ -1,21 +1,20 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIIVGB8TiyN5TswDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE MIIDPjCCAiagAwIBAgIIVGI7SyiXCDUwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0 AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0
MTExMDA4NTAyNFoYDzk5OTkxMjMxMjM1OTU5WjAwMREwDwYDVQQDEwhHTlUgV2dl MTExMTE2MzczM1oYDzk5OTkxMjMxMjM1OTU5WjAwMREwDwYDVQQDEwhHTlUgV2dl
dDENMAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VMIIBIjANBgkqhkiG9w0BAQEF dDENMAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAv2IR1/gsaJsn+egtVFbMMMbivK+eVzPY8wEXb2flpe9a AAOCAQ8AMIIBCgKCAQEAv2IR1/gsaJsn+egtVFbMMMbivK+eVzPY8wEXb2flpe9a
Kkwz824nSSrWfRigQmf/ODkNlK2x91kppfPmWkClUREQB3I4d/sHFnzqCkFKmNwt Kkwz824nSSrWfRigQmf/ODkNlK2x91kppfPmWkClUREQB3I4d/sHFnzqCkFKmNwt
VT4DsL47VumgZF6ZjSqTYQD3MDH3VhFj1iKrRMM/aCZXwntD+67sKw6UPXfFbfUO VT4DsL47VumgZF6ZjSqTYQD3MDH3VhFj1iKrRMM/aCZXwntD+67sKw6UPXfFbfUO
Recpb7fCZPZFVFYStxgcF7cyH+DADLX5QCEjiLYH1es6FXrdw+ypgwBl+HuLkQ/4 Recpb7fCZPZFVFYStxgcF7cyH+DADLX5QCEjiLYH1es6FXrdw+ypgwBl+HuLkQ/4
gE0JLQK5PAKSYeLy0JEBUPovkMXT+r9aPkQBF/9WD6uUPia0ERHbMIT0My84hBrG gE0JLQK5PAKSYeLy0JEBUPovkMXT+r9aPkQBF/9WD6uUPia0ERHbMIT0My84hBrG
9d5u5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABo3gwdjAPBgNVHRMB 9d5u5gXPnH1ZxKIr8iJOYCydVjYndn21zs2IExwL6wIDAQABo1gwVjAPBgNVHRMB
Af8EBTADAQH/MBQGA1UdEQQNMAuCCTEyNy4wLjAuMTAdBgNVHSUEFjAUBggrBgEF Af8EBTADAQH/MBMGA1UdJQQMMAoGCCsGAQUFBwMJMA8GA1UdDwEB/wQFAwMHBgAw
BQcDAQYIKwYBBQUHAwkwDwYDVR0PAQH/BAUDAwemADAdBgNVHQ4EFgQU8z5OOIRK HQYDVR0OBBYEFPM+TjiESqm+wW/HYaNQ2m4pi+tUMA0GCSqGSIb3DQEBCwUAA4IB
qb7Bb8dho1DabimL61QwDQYJKoZIhvcNAQELBQADggEBAEyG0E8RrSNfv9ZtqidB AQCWKV1Txo3xytRSO1PwWK9ce5FhvQW9mubuuWmbEnQt9JaOhO1Og6ZmdPDlAQeo
9j660p8CynFDsX+hjfR1Sy4v5aUxxaA1spj/L5ioQXgjFKfht3zyPQBwLDSWNb41 m0CJZZ0VNeodoBXPGopy3VyzF4ZzUR9leGk3sb1qTSoDCvJd/zLrfukHKugtwuK0
1yaGrPjwDfal/CWY1lJHGZGiEuxtZ32mMYNSUNBQk0t2P33NssdjdtJ8Tm9BZwqH b1fPnEjBjQ6gQI21coc1tmyX8Qsm7of5n+Ji601WG+FiVmmdEsCjmA/eAvwSbu1E
/NxHTi00MTQlG4L01KSAf7wJtapA1Ad6u6WAU+316EuTQ0eh7owOugaSIpCFgwQA cAVH476KUt4CrpVPQQVqzFPDz8i4iw/P+Jo+iNmL5S72OG2GfkSJq3XkUYa509W6
hq3SkUW8P2hL9ZYX0lGzaqE9oKm9dIvpfVPrWhbhnGMPR2X/7B8IgK84r3Eb1CF2 N+8c3p4y0q/PcQ92s1OIHyEPZFRFhm4xw0sHkhD2KVoHseHZjCoYn4/lIzMPnJ6v
3nysbcWH8BSxpN0d8oYPhUFi3jyV9InqFvEPxyMQ9MmtjDb4JpA6tkL6UwP77br6 EfZUJQXndeJnffbthaUp8Ea2
Th0=
-----END CERTIFICATE----- -----END CERTIFICATE-----

20
testenv/certs/server-cert.pem
View File

@ -1,7 +1,7 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgIIVGB+xzQpT5AwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE MIIDgDCCAmigAwIBAgIIVGI73zrIeeMwDQYJKoZIhvcNAQELBQAwMDERMA8GA1UE
AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0 AxMIR05VIFdnZXQxDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTAiGA8yMDE0
MTExMDA5MDA1OVoYDzk5OTkxMjMxMjM1OTU5WjAxMRIwEAYDVQQDEwkxMjcuMC4w MTExMTE2NDAwMFoYDzk5OTkxMjMxMjM1OTU5WjAxMRIwEAYDVQQDEwkxMjcuMC4w
LjExDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTCCASIwDQYJKoZIhvcNAQEB LjExDTALBgNVBAsTBFdnZXQxDDAKBgNVBAoTA0dOVTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMjC3Gt55EfStl6mE371+pD3/cpR5MLxkdbBss5MlIP2 BQADggEPADCCAQoCggEBAMjC3Gt55EfStl6mE371+pD3/cpR5MLxkdbBss5MlIP2
TDhiPOItLXml8oxs4BjUm3wfn3GV9iJLmbzbIWL+0kbRkQ2LCPKUf+Cln3z2ZE+r TDhiPOItLXml8oxs4BjUm3wfn3GV9iJLmbzbIWL+0kbRkQ2LCPKUf+Cln3z2ZE+r
@ -9,13 +9,13 @@ XwdWlT8gVfv51Opfkp2lLDVUqLfNKRGQgivjSCmLqY2LqeB0SaVNvuaD3EpqZyIH
0E5SZgjqBHgRRtvGkcy0rOmp5SI2NASLugUioXa9OLWjpYDwodsd3ERlL0DJ1aJW 0E5SZgjqBHgRRtvGkcy0rOmp5SI2NASLugUioXa9OLWjpYDwodsd3ERlL0DJ1aJW
8TC8Tqix4i0osWzar+LXBIin0Qvar9/uRHN0p1kq3p0XgNHKqWpiTT54+WYx7Pem 8TC8Tqix4i0osWzar+LXBIin0Qvar9/uRHN0p1kq3p0XgNHKqWpiTT54+WYx7Pem
v4qRXz11swiJzUL+Pw1DurQ9smbzDgAsz7V2FJnUeCcCAwEAAaOBmDCBlTAMBgNV v4qRXz11swiJzUL+Pw1DurQ9smbzDgAsz7V2FJnUeCcCAwEAAaOBmDCBlTAMBgNV
HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdEQQYMBaCCWxvY2Fs HRMBAf8EAjAAMB8GA1UdEQQYMBaCCTEyNy4wLjAuMYIJbG9jYWxob3N0MBMGA1Ud
aG9zdIIJMTI3LjAuMC4xMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323L JQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0OBBYEFJfm323L
JbKTM/tMKSt0qlUqewbnMB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tU JbKTM/tMKSt0qlUqewbnMB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tU
MA0GCSqGSIb3DQEBCwUAA4IBAQBeRV2kMWuksna/E6hqcQ5C76UFq9RDcvxIoJQ/ MA0GCSqGSIb3DQEBCwUAA4IBAQCDmuSD4IGmn0UQ5jhGQquh92Iu59j64Rrg7EIM
2ANywD+EcQYyBNSSL+yyv6/Pp9gXlqjciYdb3OgdPb++3y/UC6IxkeFv1uNDwJfS zoppciyYR8gDUutOI9CEisxJz6umvAdOo5L981gcFaBv6hHWaE/krAZccR+ZXZP6
HVX9avm12CXfZt4zMrq1GQX4gjJ9jkItMCY4atdyAQROGnzDWzNuwSWaasL3oUPT fI9btO8My8O63fYcd2KkLEFqvKDF43i01S2LrqXdPo3uELbFZwxCmUKsexFGsoW1
qDUMHZR2kH2cIr9S07YT/8RslMdlMgeI4Y9JCGuRspgxwnDtM5L3vZEnGsud7DSa CbXbRjnS7w/f72myRmvBeDiNMuGfe1lb4IflybH3DMlKC7i0AN1JKglp+IKn5XAE
1/8LGiYydNIpCikwd2Pzdwp9G8mm7AExU3AsXPCyYxDWWjfyhBjTY+5aR57igNeB neWR03i3UaYJsibIxj0DkTS+hVPu5MXQ9RlF5CkRdFKjGinLE/u70XyAyx0/IeAN
CaP+xoDNilbJ/RM+0Ygv/ue7gY49f8nESQP+0HQVborwl3h2 e7c2MJvpdfRmTXm2ew4sNyK9RXo7Bv0Yqkl65iMscF8LNnxL
-----END CERTIFICATE----- -----END CERTIFICATE-----

18
testenv/certs/server-crl.pem
View File

@ -1,12 +1,12 @@
-----BEGIN X509 CRL----- -----BEGIN X509 CRL-----
MIIB1DCBvQIBATANBgkqhkiG9w0BAQsFADAwMREwDwYDVQQDEwhHTlUgV2dldDEN MIIB1DCBvQIBATANBgkqhkiG9w0BAQsFADAwMREwDwYDVQQDEwhHTlUgV2dldDEN
MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VGA8yMDE0MTExMDA5MzUyMVoYDzk5 MAsGA1UECxMEV2dldDEMMAoGA1UEChMDR05VGA8yMDE0MTExMTE2NDU1NFoYDzk5
OTkxMjMxMjM1OTU5WjAdMBsCCFRgfsc0KU+QGA8yMDE0MTExMDA5MzUyMVqgNjA0 OTkxMjMxMjM1OTU5WjAdMBsCCFRiO986yHnjGA8yMDE0MTExMTE2NDU1NFqgNjA0
MB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMBEGA1UdFAQKAghUYIba MB8GA1UdIwQYMBaAFPM+TjiESqm+wW/HYaNQ2m4pi+tUMBEGA1UdFAQKAghUYj1E
N/WqiDANBgkqhkiG9w0BAQsFAAOCAQEALV862K6ErgDdHKVag2mibcyguI83mPUm KHs9ijANBgkqhkiG9w0BAQsFAAOCAQEAZgwqs1VOFG39dFHHMXvBr4eJfhwiG4bC
AhkbZ0vUFIjf39kDwXfBdGjQPPRilAM+2nraN7UTZs6y+2UDTbavaOpn5YFEoP5f cL6IvLhvl9ikcyQMHrpOBtNjkCtgclSbJjjTDdera1+zuCWE0WBOJ4mojYdAIOhR
Z6AN+PMEVi8QfkpQHIRJPVg1noJMBU+KgqGvzg7pCpzD8WyrH/4AAmuQoD18YndP QvSwp4NwAtibu2F/fjeXoo+LEpcRKtLvAotB30eCZ1OPrijsa/HxFILOLlayjns8
SQGmTvsap3nCQPtCcGnONbdvqlHF47toy9nYz+4auS+RpEPiUa9YT5zNOwQwlQg5 wM4RmQC4o43y1G/1jqM8hGDg4Wz0j1URVuyP+pU55JpubV5LlExy3gIRwevD2lam
cgdbkheEqN3SLeTAxvDSVaHbVEr2U7rsR8ckMNXE0xgNuDmvIiTiqps+e2oE88Ii q3hiighenJYFO3HGZkYT2SIoSpXZnQqKPJ4HwRBSg/cjOpc1y1lIIvKhmk+Cut6M
421c+VGZE4LE5NeETIk8V4drxbdYZpwRB2/BzmDwKhMAB8WBIH2sFA== +S5HL4pIk8vGYg57nTfOOkj1goqFkfU0DBqvVAZj02ay/VIDu61T1g==
-----END X509 CRL----- -----END X509 CRL-----