From e70213103c9d225e714969eb6245d5bb1d9d98fd Mon Sep 17 00:00:00 2001
From: Kevin Gallagher <kgallagher@cloudflare.com>
Date: Fri, 30 Sep 2016 12:08:15 -0700
Subject: [PATCH] Verify TLS certificates w/ wget in fetch-params.sh

Per NCC-2016-017, wget was run with --no-check-certificate,
which means that the connection can be man-in-the-middled,
even if we are verifying the integrity of the params later via hash sums.
The rationale cited in the Bash comments does not stand up to scrutiny.
There's really no persuasive reason not to verify certificates.

Fixes #1346.
---
 zcutil/fetch-params.sh | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/zcutil/fetch-params.sh b/zcutil/fetch-params.sh
index 8ca8477a..7a3f7519 100755
--- a/zcutil/fetch-params.sh
+++ b/zcutil/fetch-params.sh
@@ -21,13 +21,8 @@ function fetch_params {
     if ! [ -f "$output" ]
     then
         echo "Retrieving: $url"
-        # Note: --no-check-certificate should be ok, since we rely on
-        # sha256 for integrity, and there's no confidentiality requirement.
-        # Our website uses letsencrypt certificates which are not supported
-        # by some wget installations, so we expect some cert failures.
         wget \
             --progress=dot:giga \
-            --no-check-certificate \
             --output-document="$dlname" \
             --continue \
             "$url"