Follow-up Comment #10, bug #43799 (project wget): Wget does not have 'normal' OCSP built in. Well, OCSP stapling works transparently within GnuTLS and is turned on by default.
When GnuTLS comes back with GNUTLS_CERT_REVOKED and all we can do is to say "The certificate of %s has been revoked". Because I know of now way to say if this is because of OCSP stapling or due to loaded CRL files. But OCSP stapling only holds the OCSP response for one (the server's) certificate. Most servers today seem to have a chain of certs... OCSP stapling alone gives one more check but no security. Regarding MITM and other attacks... did you notice that OCSP responder URLs are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did you ? BTW, https://www.google.de still has a 3 cert chain, one of them without AIA element (so no possibility for OCSP / rervokcation checking). _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?43799> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/
