bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

From: Vincent Lefèvre
Subject: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling
Date: Wed, 19 Aug 2015 11:14:21 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0 
Follow-up Comment #9, bug #43799 (project wget):

I tested only wget 1.16.3 (the Debian/unstable package) for the moment. The
error comes from OCSP stapling. If I do the same tests with port 4433 (where I
have a temporary test server with "openssl s_server -CAfile old.crt -key
old.key -cert old.crt -www", without OCSP stapling support), I don't get the
revocation error. A clearer message would be better.

If OCSP responder information is missing, there should be an error because in
case of MITM attack (which is the main reason why certificates are used), the
attacker will probably try to block OCSP responders if the attack occurs at
the Internet access point of the user (e.g. wifi hotspot) or on the local
network. But this could be configurable via an option.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?43799>

_______________________________________________
  Message posté via/par Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]