>>> - no OCSP stapling > > Probably this could help a bit? > https://github.com/CyanogenMod/android_external_chromium_org_third_party_boringssl_src/commit/6c7aed048ca0a335e02dfee10976c5dc8620783e > But I fear this could be a lot of porting work, because the link is for > boringssl and chromium...
I think the openssl version in Replicant already supports ocsp stapling. But we would have to integrate it in core libraries, likely also webview and then we would have to make sure that at least the browser provides the user with some useful feedback if a certificate is revoked. So yes, this would be a lot of work. Corresponding android bug: https://code.google.com/p/android/issues/detail?id=68643 Interesting read linked in bug report with reasons against implementing it: https://www.imperialviolet.org/2014/04/19/revchecking.html > Thanks for reading until here :) You're welcome :) I already included two openssl patches in the patchset, but this is of course only the tip of the iceberg as the openssl version is so old. I did some additional work and merged the cm-11.0 branch. Only one commit had to be reverted to make it work with Replicant 4.2: https://code.fossencdi.org/replicant_openssl.git/commit/?id=716b36c2b1f66c939826a9437c70cf2f3b9116ff The nice thing is that the version from the cm-11.0 branch is the exact same as in Debian Wheezy. So all that I had to do to patch this version was a simple git am <debian-security-patch> The work is not complete as there are some patches left, but you can find the current status here: https://code.fossencdi.org/replicant_openssl.git/ -- OpenPGP: 0F30 D1A0 2F73 F70A 6FEE 048E 5816 A24C 1075 7FC4 download: https://wiedmeyer.de/keys/ww.asc
signature.asc
Description: PGP signature
_______________________________________________ Replicant mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/replicant
