[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3
From: |
@rockdaboot |
Subject: |
Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577) |
Date: |
Fri, 31 Dec 2021 16:39:02 +0000 |
Tim Rühsen commented:
Let's do it like we do it in `ssl_gnutls.c`: Only if nextUpdate is -1 we check
for an age of 3 days (*). If nextUpdate is set to a future date/time, we should
just continue.
(*) we can discuss if this range is too short, but first I would like to
encounter a site where nextUpdate is -1.
I am talking about this GnuTLS code:
```
if (ntime == -1) {
if (config.ocsp_date && now - vtime > OCSP_VALIDITY_SECS) {
debug_printf("*** The OCSP response is old (was issued
at: %s) ignoring", safe_ctime(vtime, timebuf, sizeof(timebuf)));
goto cleanup;
}
} else {
/* there is a newer OCSP answer, don't trust this one */
if (ntime < now) {
debug_printf("*** The OCSP response was issued at: %s",
safe_ctime(vtime, timebuf, sizeof(timebuf)));
debug_printf(" but there is a newer issue at %s",
safe_ctime(ntime, timebuf, sizeof(timebuf)));
goto cleanup;
}
}
```
We also should use `OCSP_VALIDITY_SECS` in `ssl_openssl.c` (maybe we need
another header file `ssl.h` or maybe better `tls.h`. Do you have time to do
these changes ?
I am at fixing an issue in the HTML parser
(https://github.com/rockdaboot/wget2/issues/242) and then I would like tag a
new bugfix release (v2.0.1).
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/577#note_798971104
You're receiving this email because of your account on gitlab.com.
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), (continued)
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577),
@rockdaboot <=
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/31