wget2 | OpenSSL OCSP: Do not contact OCSP responder if stapled OCSP response is available (#578)

[@rockdaboot]

Tim Rühsen created an issue: https://gitlab.com/gnuwget/wget2/-/issues/578



You can see that for `amazon.com`, we get a stapled OCSP response. Still we 
check both server certificates for revocation via the OCSP responder. OCSP 
stapling has been made to avoid contacting the OCSP responder.

To reproduce:
```
rm ~/.local/share/wget/.wget-ocsp
src/wget2 -d -O/dev/null https://amazon.com -olog
```
Examine the `log` file closely.

The first action would be to avoid the OCSP request for any cert that we got a 
stapled OCSP response for.

In a second step, we should think about if checking a single cert of the cert 
chain is enough.
Someone suggested this in the past and I rejected it. But currently I think we 
should find out what browsers do and if that is safe enough from our point of 
view.

For Chrome/Chromium it looks like they don't contact OCSP responders at all. 
Instead they rely on a built-in list of revoked certificates. Obviously, this 
only works if the Chrome update cycle is short enough. Likely not a good idea 
for Wget2.

-- 
Reply to this email directly or view it on GitLab: 
https://gitlab.com/gnuwget/wget2/-/issues/578
You're receiving this email because of your account on gitlab.com.