Follow-up Comment #9, bug #43799 (project wget):
I tested only wget 1.16.3 (the Debian/unstable package) for the moment. The
error comes from OCSP stapling. If I do the same tests with port 4433 (where I
have a temporary test server with "openssl s_server -CAfile old.crt -key
old.key -cert old.crt -www", without OCSP stapling support), I don't get the
revocation error. A clearer message would be better.
If OCSP responder information is missing, there should be an error because in
case of MITM attack (which is the main reason why certificates are used), the
attacker will probably try to block OCSP responders if the attack occurs at
the Internet access point of the user (e.g. wifi hotspot) or on the local
network. But this could be configurable via an option.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?43799>
_______________________________________________
Message posté via/par Savannah
http://savannah.gnu.org/
