[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
wget2 | OpenSSL OCSP: Do not contact OCSP responder if stapled OCSP resp
From: |
@rockdaboot |
Subject: |
wget2 | OpenSSL OCSP: Do not contact OCSP responder if stapled OCSP response is available (#578) |
Date: |
Sun, 02 Jan 2022 13:52:49 +0000 |
Tim Rühsen created an issue: https://gitlab.com/gnuwget/wget2/-/issues/578
You can see that for `amazon.com`, we get a stapled OCSP response. Still we
check both server certificates for revocation via the OCSP responder. OCSP
stapling has been made to avoid contacting the OCSP responder.
To reproduce:
```
rm ~/.local/share/wget/.wget-ocsp
src/wget2 -d -O/dev/null https://amazon.com -olog
```
Examine the `log` file closely.
The first action would be to avoid the OCSP request for any cert that we got a
stapled OCSP response for.
In a second step, we should think about if checking a single cert of the cert
chain is enough.
Someone suggested this in the past and I rejected it. But currently I think we
should find out what browsers do and if that is safe enough from our point of
view.
For Chrome/Chromium it looks like they don't contact OCSP responders at all.
Instead they rely on a built-in list of revoked certificates. Obviously, this
only works if the Chrome update cycle is short enough. Likely not a good idea
for Wget2.
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/578
You're receiving this email because of your account on gitlab.com.
- wget2 | OpenSSL OCSP: Do not contact OCSP responder if stapled OCSP response is available (#578),
@rockdaboot <=