RISC OS Open: Forum: wget, https and certificates

Mar 26, 2021 2:42pm

In case this helps anyone…

On realising that wget would work very well with https, except that it doesn’t know where to find the CertData file, I did a bit of digging. I found that setting the environment variable SSL_CERT_FILE to point to your CertData file allows wget to access the file. It doesn’t require adding anything to the wget command line, it doesn’t require certificate chain checking to be turned off, and it should work regardless of what wget is being asked to access.

The best setting, for a standard setup of RISC OS, appears to be:

set SSL_CERT_FILE InetDbase:CertData

I’ve added the line to my Internet.!Boot file.

Mar 26, 2021 6:41pm

Steve Pampling (1551) 8170 posts

In case this helps anyone…

In view of the shift to things secure that probably needs rewording to “In case this helps everyone…” or even “This should help everyone”

So, excellent work(again) Mr Higton.

I’ve added the line to my Internet.!Boot file.

All things considered perhaps that should be in the RO source?

Mar 26, 2021 8:11pm

Dave Higton (1515) 3526 posts

So, excellent work(again) Mr Higton.

Thank you, Sir.

All things considered perhaps that should be in the RO source?

The thought had occurred to me too.

Mar 26, 2021 9:43pm

Steve Pampling (1551) 8170 posts

The thought had occurred to me too.

It does encourage the use of certificated links and make that easier.
Every application on RO that references certificates should be looking at the same certificate store.

Mar 26, 2021 11:35pm

Martin Avison (27) 1494 posts

perhaps that should be in the RO source?

Depends whether SSL_CERT_FILE is only used by Wget or by other things as well.
If only Wget it should be in !Wget.!Boot
If used in other things then Internet.!Boot would be better.
[Edited to avoid textile helpfully removing vital text]

Mar 27, 2021 6:06am

Frank de Bruijn (160) 228 posts

As far as I’m aware it belongs to the openssl library.

Mar 27, 2021 6:50am

David Pitt (3386) 1248 posts

wget does come with certificate related command line switches.

wget --ca-certificate=InetDbase:CertData https....
wget --ca-certificate=<CaCertificates$Dir>.ca-certificates/crt  https...

Rigorously tested here once.

Mar 27, 2021 7:22am

Ronald (387) 195 posts

Yes atm the autobuilder wget is forced to compile with openssl.
It is normal in debian/ubuntu etc to use gnutls, and it is possible to do so for RISC OS.
Where it gets hairy though is all the options for the optional assembly routines for
the various arm processors particularly in openssl-1.1.1. The test suite runs faster using them, but you will potentially end up with many (cpu) versions of wget, not to mention the other openssl/gnutls uses.

Mar 27, 2021 10:55am

Chris Gransden (337) 1207 posts

As far as I’m aware it belongs to the openssl library.

There’s an explanation of SSL_CERT_FILE and SSL_CERT_DIR here.

If wget is built with gnutls then SSL_CERT_FILE has no effect.

wget, https and certificates

Reply

Search forums

Social

ROOL Store

Donate! Why?

RISC OS IPR

Description

Voices

Options

Mar 26, 2021 2:42pm Dave Higton (1515) 3526 posts	In case this helps anyone… On realising that wget would work very well with https, except that it doesn’t know where to find the CertData file, I did a bit of digging. I found that setting the environment variable SSL_CERT_FILE to point to your CertData file allows wget to access the file. It doesn’t require adding anything to the wget command line, it doesn’t require certificate chain checking to be turned off, and it should work regardless of what wget is being asked to access. The best setting, for a standard setup of RISC OS, appears to be: `set SSL_CERT_FILE InetDbase:CertData` I’ve added the line to my Internet.!Boot file.

Mar 26, 2021 6:41pm Steve Pampling (1551) 8170 posts	In case this helps anyone… In view of the shift to things secure that probably needs rewording to “In case this helps everyone…” or even “This should help everyone” So, excellent work(again) Mr Higton. I’ve added the line to my Internet.!Boot file. All things considered perhaps that should be in the RO source?

Mar 26, 2021 8:11pm Dave Higton (1515) 3526 posts	So, excellent work(again) Mr Higton. Thank you, Sir. All things considered perhaps that should be in the RO source? The thought had occurred to me too.

Mar 26, 2021 9:43pm Steve Pampling (1551) 8170 posts	The thought had occurred to me too. It does encourage the use of certificated links and make that easier. Every application on RO that references certificates should be looking at the same certificate store.

Mar 26, 2021 11:35pm Martin Avison (27) 1494 posts	perhaps that should be in the RO source? Depends whether SSL_CERT_FILE is only used by Wget or by other things as well. If only Wget it should be in `!Wget.!Boot` If used in other things then `Internet.!Boot` would be better. [Edited to avoid textile helpfully removing vital text]

Mar 27, 2021 6:06am Frank de Bruijn (160) 228 posts	As far as I’m aware it belongs to the openssl library.

Mar 27, 2021 6:50am David Pitt (3386) 1248 posts	`wget` does come with certificate related command line switches. wget --ca-certificate=InetDbase:CertData https.... wget --ca-certificate=<CaCertificates$Dir>.ca-certificates/crt https... Rigorously tested here once.

Mar 27, 2021 7:22am Ronald (387) 195 posts	Yes atm the autobuilder wget is forced to compile with openssl. It is normal in debian/ubuntu etc to use gnutls, and it is possible to do so for RISC OS. Where it gets hairy though is all the options for the optional assembly routines for the various arm processors particularly in openssl-1.1.1. The test suite runs faster using them, but you will potentially end up with many (cpu) versions of wget, not to mention the other openssl/gnutls uses.

Mar 27, 2021 10:55am Chris Gransden (337) 1207 posts	As far as I’m aware it belongs to the openssl library. There’s an explanation of SSL_CERT_FILE and SSL_CERT_DIR here. If wget is built with gnutls then SSL_CERT_FILE has no effect.