wget-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3

From: @rockdaboot
Subject: Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577)
Date: Thu, 30 Dec 2021 16:28:31 +0000 


Tim Rühsen commented:


@juaristi I implemented OCSP URI retrieval in a different way and pushed it.

URI retrieval seems to work fine. But OCSP validation for `google.com` now 
fails while it works for `github.com`.

Logs for google.com:
```
30.172506.990 Contacting OCSP server. URI: http://ocsp.pki.goog/gts1c3
30.172506.990 resolving ocsp.pki.goog:80...
30.172507.003 has 172.217.16.67:80
30.172507.003 has 2a00:1450:4005:80a::2003:80
30.172507.003 trying 172.217.16.67:80...
30.172507.003 opened connection ocsp.pki.goog
30.172507.003 # sent 320 bytes:
POST /gts1c3 HTTP/1.1^M
Host: ocsp.pki.goog^M
Accept-Encoding: identity^M
Accept: application/ocsp-response^M
Content-Type: application/ocsp-request^M
Content-Length: 151^M
^M
~
30.172507.003 ### req 0x7f2168054100 pending requests = 1
30.172507.041 # got header 222 bytes:
HTTP/1.1 200 OK^M
Content-Type: application/ocsp-response^M
Cache-Control: public, max-age=300^M
Date: Thu, 30 Dec 2021 16:25:07 GMT^M
Server: ocsp_responder^M
Content-Length: 5^M
X-XSS-Protection: 0^M
X-Frame-Options: SAMEORIGIN

30.172507.041 method 2
30.172507.041 closing connection
30.172507.041 *** OCSP response status:
30.172507.041 malformed request
Unsuccessful OCSP response
30.172507.041 add OCSP cert 
12dab55f388ce1d0153c940b82a3fef17a36b0bd3a25db1bdc843a635d0bf5e2 
(maxage=1640885107,valid=0)
30.172507.041 Contacting OCSP server. URI: http://ocsp.pki.goog/gtsr1
30.172507.041 Found dns cache entry ocsp.pki.goog:80
30.172507.041 trying 172.217.16.67:80...
30.172507.041 opened connection ocsp.pki.goog
30.172507.041 # sent 315 bytes:
POST /gtsr1 HTTP/1.1^M
Host: ocsp.pki.goog^M
Accept-Encoding: identity^M
Accept: application/ocsp-response^M
Content-Type: application/ocsp-request^M
Content-Length: 147^M
^M
~
30.172507.041 ### req 0x7f216804fd30 pending requests = 1
30.172507.071 # got header 222 bytes:
HTTP/1.1 200 OK^M
Content-Type: application/ocsp-response^M
Cache-Control: public, max-age=300^M
Date: Thu, 30 Dec 2021 16:25:07 GMT^M
Server: ocsp_responder^M
Content-Length: 5^M
X-XSS-Protection: 0^M
X-Frame-Options: SAMEORIGIN

30.172507.071 method 2
30.172507.071 closing connection
30.172507.071 *** OCSP response status:
30.172507.071 malformed request
Unsuccessful OCSP response
30.172507.071 add OCSP cert 
23ecb03eec17338c4e33a6b48a41dc3cda12281bbc3ff813c0589d6cc2387522 
(maxage=1640885107,valid=0)
Certificate revoked by OCSP.
Could not complete TLS handshake: certificate verify failed
30.172507.071 closing connection
Failed to connect: Certificate error
```

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/577#note_798480979
You're receiving this email because of your account on gitlab.com.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]