Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577)

[@rockdaboot]

Tim Rühsen commented:


Let's do it like we do it in `ssl_gnutls.c`: Only if nextUpdate is -1 we check 
for an age of 3 days (*). If nextUpdate is set to a future date/time, we should 
just continue.

(*) we can discuss if this range is too short, but first I would like to 
encounter a site where nextUpdate is -1.

I am talking about this GnuTLS code:
```
        if (ntime == -1) {
                if (config.ocsp_date && now - vtime > OCSP_VALIDITY_SECS) {
                        debug_printf("*** The OCSP response is old (was issued 
at: %s) ignoring", safe_ctime(vtime, timebuf, sizeof(timebuf)));
                        goto cleanup;
                }
        } else {
                /* there is a newer OCSP answer, don't trust this one */
                if (ntime < now) {
                        debug_printf("*** The OCSP response was issued at: %s", 
safe_ctime(vtime, timebuf, sizeof(timebuf)));
                        debug_printf("    but there is a newer issue at %s", 
safe_ctime(ntime, timebuf, sizeof(timebuf)));
                        goto cleanup;
                }
        }
```

We also should use `OCSP_VALIDITY_SECS` in `ssl_openssl.c` (maybe we need 
another header file `ssl.h` or maybe better `tls.h`. Do you have time to do 
these changes ?

I am at fixing an issue in the HTML parser 
(https://github.com/rockdaboot/wget2/issues/242) and then I would like tag a 
new bugfix release (v2.0.1).

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/577#note_798971104
You're receiving this email because of your account on gitlab.com.