Auto merge of #1467 - ageis:wget-cert-verify, r=str4d
Verify TLS certificates w/ wget in fetch-params.sh Per NCC-2016-017, wget was being run with `--no-check-certificate`, which means that the connection can be man-in-the-middled, even if we are verifying the integrity of the parameters later via hash sums. The rationale cited in the Bash comments does not stand up to scrutiny. There's really no persuasive reason not to verify certificates. Fixes #1346.
This commit is contained in:
commit
0df0ce05f0
|
@ -21,13 +21,8 @@ function fetch_params {
|
||||||
if ! [ -f "$output" ]
|
if ! [ -f "$output" ]
|
||||||
then
|
then
|
||||||
echo "Retrieving: $url"
|
echo "Retrieving: $url"
|
||||||
# Note: --no-check-certificate should be ok, since we rely on
|
|
||||||
# sha256 for integrity, and there's no confidentiality requirement.
|
|
||||||
# Our website uses letsencrypt certificates which are not supported
|
|
||||||
# by some wget installations, so we expect some cert failures.
|
|
||||||
wget \
|
wget \
|
||||||
--progress=dot:giga \
|
--progress=dot:giga \
|
||||||
--no-check-certificate \
|
|
||||||
--output-document="$dlname" \
|
--output-document="$dlname" \
|
||||||
--continue \
|
--continue \
|
||||||
"$url"
|
"$url"
|
||||||
|
|
Loading…
Reference in New Issue