[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | New option --dane (!522)
|
From: |
John Scott (@j0hns) |
|
Subject: |
Re: wget2 | New option --dane (!522) |
|
Date: |
Sun, 16 Apr 2023 18:27:38 +0000 |
John Scott commented:
> If we have CA certs loaded, should we do two verification steps (CA and DANE)
> ?
That's a great question! Actually there is a special number (typically set to
3, which means no CA verification required) that specifies whether you should
verify both or just DANE. However, GnuTLS doesn't yet support that subtlety,
and I doubt you want to parse DNS records on your own. Thus:
> For now I implemented "if either CA or DANE verification succeeds -> OK". But
> we can change this.
As long as we document the behavior, that sounds like a sensible choice. This
is experimental for now, after all.
Speaking of which, even though the library was available I still had to pass
--with-libdane to get the support to build. That, in practice, means that
distros will not enable it. Is that what we want?
All of that said, it worked for me and I approve this merge request.
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/merge_requests/522#note_1354377078
You're receiving this email because of your account on gitlab.com.
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), Viktor Dukhovni (@dviktor), 2023/04/24