wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577)

[Ander Juaristi (@juaristi)]

Ander Juaristi created an issue: https://gitlab.com/gnuwget/wget2/-/issues/577



I've just pushed a change that fixes a bug where [some TLS handshakes were 
failing](https://github.com/rockdaboot/wget2/issues/243) without apparent 
reason.

The problem was coming from the fact that we were checking `thisUpd` to be max 
3 days older from now on an OCSP response. I've disabled that check for stapled 
OCSP responses.

This check was present in both the OpenSSL code as well as the GnuTLS one, but 
GnuTLS didn't apply it for stapled OCSP responses (only for non-stapled ones), 
whereas OpenSSL did.

I was wondering why is wget doing that. AFAIK, as long as `thisUpd` < `nextUpd` 
and `nextUpd` > `now`, that's enough to take an OCSP response as valid. At 
least regarding the time. Why are we then, checking that `thisUpd` is older 
than 3 days?

If we can't come up with a good reason, I'd rather remove this check, as the 
TLS code is already a bit more complex than I'd like to, and I'd like to reduce 
complexity where possible.

Moreover, all the tests are running with `--no-ocsp-date`, which disables those 
checks, so yet another more reason to remove it if we're not even testing it.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/577
You're receiving this email because of your account on gitlab.com.