diff options
| author | Werner Koch <[email protected]> | 2018-04-25 07:43:18 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2018-04-25 10:38:04 +0000 |
| commit | 705d8e9cf0d109005b3441766270c0e584f7847d (patch) | |
| tree | b769b80d79627d283e9ce834e4f55b16fc700145 /dirmngr/server.c | |
| parent | g10: Fix printing the keygrip with --card-status. (diff) | |
| download | gnupg-705d8e9cf0d109005b3441766270c0e584f7847d.tar.gz gnupg-705d8e9cf0d109005b3441766270c0e584f7847d.zip | |
dirmngr: Implement CRL fetching via https.
* dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag.
* dirmngr/http.c (http_register_cfg_ca): New.
(http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag.
* dirmngr/certcache.c (load_certs_from_dir): Call new function.
(cert_cache_deinit): Ditto.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Add new args
'send_no_cache' and 'extra_http_trust_flags'. Change all callers to
provide the default value.
* dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of
ks_http_fetch.
--
The old code simply did not use https for downloading of CRLS.
Instead it rewrote https to http under the assumption that the CRL
service was also available without encryption. Note that a CRL is
self-standing and thus it does not need to have extra authenticity as
provided by TLS. These days we should not use any unencrypted content
and thus this patch.
Be aware that cacert.org give a https CRL DP but that currently
redirects to to http! This is a downgrade attack which we detect and
don't allow. The outcome is that it is right now not possible to use
CAcert certificates.
Signed-off-by: Werner Koch <[email protected]>
Diffstat (limited to 'dirmngr/server.c')
| -rw-r--r-- | dirmngr/server.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/dirmngr/server.c b/dirmngr/server.c index 48244d4af..8a0b940ce 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -1877,7 +1877,7 @@ static const char hlp_validate[] = " INQUIRE CERTLIST\n" "\n" "Here the first certificate is the target certificate, the remaining\n" - "certificates are suggested intermediary certificates. All certifciates\n" + "certificates are suggested intermediary certificates. All certificates\n" "need to be PEM encoded.\n" "\n" "The option --systrust changes the behaviour to include the system\n" @@ -1928,7 +1928,7 @@ cmd_validate (assuan_context_t ctx, char *line) err = gpg_error (GPG_ERR_MISSING_CERT); if (!err) { - /* Extraxt the first certificate from the list. */ + /* Extract the first certificate from the list. */ cert = certlist->cert; ksba_cert_ref (cert); } |