[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

From: Tim Ruehsen
Subject: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling
Date: Wed, 19 Aug 2015 15:37:06 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.1.0

Follow-up Comment #10, bug #43799 (project wget):

Wget does not have 'normal' OCSP built in.
Well, OCSP stapling works transparently within GnuTLS and is turned on by

When GnuTLS comes back with GNUTLS_CERT_REVOKED and all we can do is to say
"The certificate of %s has been revoked". Because I know of now way to say if
this is because of OCSP stapling or due to loaded CRL files.

But OCSP stapling only holds the OCSP response for one (the server's)
certificate. Most servers today seem to have a chain of certs... OCSP stapling
alone gives one more check but no security.

Regarding MITM and other attacks... did you notice that OCSP responder URLs
are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did
you ?

BTW, https://www.google.de still has a 3 cert chain, one of them without AIA
element (so no possibility for OCSP / rervokcation checking).


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]