[PATCH] wget: don't silently ignore certificate validation
Kang-Che Sung
explorer09 at gmail.com
Sun May 27 02:27:17 UTC 2018
On Fri, May 25, 2018 at 12:50 AM, Jakub Jirutka <jakub at jirutka.cz> wrote:
> Internal TLS code (FEATURE_WGET_HTTPS) does not implement validation
> of the server's certificate. It is documented in the code, but not
> even mentioned in the --help message, so users typically don't know
> about this behaviour. That's a crime against security!
>
> This patch changes this behaviour for the case when both
> FEATURE_WGET_LONG_OPTIONS and FEATURE_WGET_HTTPS are enabled - any
> attempt to open a TLS connection using internal TLS code (i.e. without
> certificate validation) ends with error, unless the user specified
> option "--no-check-certificate".
>
Jakub,
I wonder if you can revise your patch, so that it prints a warning that
certificate check is skipped instead of error-ing and quitting.
That way the patch might have a chance of getting accepted.
More information about the busybox
mailing list