wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3

From: @rockdaboot
Subject: Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577)
Date: Thu, 30 Dec 2021 13:04:06 +0000 


Tim Rühsen commented:


> I was wondering why is wget doing that. AFAIK, as long as thisUpd < nextUpd 
> and nextUpd > now, that's enough to take an OCSP response as valid. At least 
> regarding the time. Why are we then, checking that thisUpd is older than 3 
> days?

Looking at the code, we only check for "older than 3 days" if `nextUpd == -1`. 
-1 means that there is no end-of-life for the OCSP response. My gut feeling is 
that this is wrong and we should check for the age. But I agree that 3 days 
seem to be a very low value and likely this value was derived from thin air.

Can we come up with a reasonable EOL value ?
If not, we could make `--no-ocsp-date` the default and allow the user to set a 
EOL value.

So far I couldn't find any "best practice advice" for this. What do browsers do 
in case of `nextUpd == 1` ?

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/577#note_798277820
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]