[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | * libwget/ssl_gnutls.c (verify_certificate_callback): Warn a
From: |
frigo (@freedge1) |
Subject: |
Re: wget2 | * libwget/ssl_gnutls.c (verify_certificate_callback): Warn about OCSP privacy leak (!549) |
Date: |
Sun, 19 May 2024 14:55:47 +0000 |
frigo started a new discussion on libwget/ssl_gnutls.c:
https://gitlab.com/gnuwget/wget2/-/merge_requests/549#note_1911719280
> nvalid = 1;
> + skip_server_cert_check = true;
> }
> #if GNUTLS_VERSION_NUMBER >= 0x030400
> else if (gnutls_ocsp_status_request_is_checked(session,
> GNUTLS_OCSP_SR_IS_AVAIL)) {
> error_printf_check(_("WARNING: The
> certificate's (stapled) OCSP status is invalid\n"));
> + skip_server_cert_check = true;
> }
> #endif
> - else if (!config.ocsp)
> - error_printf_check(_("WARNING: OCSP stapling is
> not supported by '%s'\n"), hostname);
> + else if (!config.ocsp) {
> + debug_printf(_("OCSP stapling is not supported
> by '%s'\n"), hostname);
> + } else {
> + error_printf_check(_("WARNING: OCSP stapling is
> not supported by '%s', but OCSP validation has been requested.\n"),
> hostname);
> + error_printf_check(_("WARNING: This implies a
> privacy leak: the server's name is sent to the CA in clear text.\n"));
technically the server's name is not sent, only the certificate ID is.
```suggestion:-0+0
error_printf_check(_("WARNING: This implies a
privacy leak: the client contacts the CA and sends the certificate serial ID
over HTTP.\n"));
```
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/merge_requests/549#note_1911719280
You're receiving this email because of your account on gitlab.com.