[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3

From: @rockdaboot
Subject: Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577)
Date: Fri, 31 Dec 2021 16:39:02 +0000

Tim Rühsen commented:

Let's do it like we do it in `ssl_gnutls.c`: Only if nextUpdate is -1 we check 
for an age of 3 days (*). If nextUpdate is set to a future date/time, we should 
just continue.

(*) we can discuss if this range is too short, but first I would like to 
encounter a site where nextUpdate is -1.

I am talking about this GnuTLS code:
        if (ntime == -1) {
                if (config.ocsp_date && now - vtime > OCSP_VALIDITY_SECS) {
                        debug_printf("*** The OCSP response is old (was issued 
at: %s) ignoring", safe_ctime(vtime, timebuf, sizeof(timebuf)));
                        goto cleanup;
        } else {
                /* there is a newer OCSP answer, don't trust this one */
                if (ntime < now) {
                        debug_printf("*** The OCSP response was issued at: %s", 
safe_ctime(vtime, timebuf, sizeof(timebuf)));
                        debug_printf("    but there is a newer issue at %s", 
safe_ctime(ntime, timebuf, sizeof(timebuf)));
                        goto cleanup;

We also should use `OCSP_VALIDITY_SECS` in `ssl_openssl.c` (maybe we need 
another header file `ssl.h` or maybe better `tls.h`. Do you have time to do 
these changes ?

I am at fixing an issue in the HTML parser 
(https://github.com/rockdaboot/wget2/issues/242) and then I would like tag a 
new bugfix release (v2.0.1).

Reply to this email directly or view it on GitLab: 
You're receiving this email because of your account on gitlab.com.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]