subject:"\[Bug\-wget\] \[bug #43799\] wget should implement OCSP \+ OCSP stapling"

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2016-07-14 Thread anonymous

Follow-up Comment #12, bug #43799 (project wget): fyi, this bug can be tested with https://revoked.grc.com/ other potentially useful resources: https://www.grc.com/revocation.htm ___ Reply to this item at:

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-20 Thread Tim Ruehsen

On Wednesday 19 August 2015 18:19:16 Petr Pisar wrote: > On Wed, Aug 19, 2015 at 03:37:06PM +, Tim Ruehsen wrote: > > Regarding MITM and other attacks... did you notice that OCSP responder > > URLs > > are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, > > did you ? > >

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Petr Pisar

On Wed, Aug 19, 2015 at 03:37:06PM +, Tim Ruehsen wrote: > Regarding MITM and other attacks... did you notice that OCSP responder URLs > are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did > you ? > There is no need for HTTPS. The OCSP response is signed by the CA's OC

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Vincent Lefèvre

Follow-up Comment #11, bug #43799 (project wget): Concerning the OCSP responder, I suppose that the response has some sort of signature, in which case there would be no insecurity. ___ Reply to this item at:

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Tim Ruehsen

Follow-up Comment #10, bug #43799 (project wget): Wget does not have 'normal' OCSP built in. Well, OCSP stapling works transparently within GnuTLS and is turned on by default. When GnuTLS comes back with GNUTLS_CERT_REVOKED and all we can do is to say "The certificate of %s has been revoked". Bec

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Vincent Lefèvre

Follow-up Comment #9, bug #43799 (project wget): I tested only wget 1.16.3 (the Debian/unstable package) for the moment. The error comes from OCSP stapling. If I do the same tests with port 4433 (where I have a temporary test server with "openssl s_server -CAfile old.crt -key old.key -cert old.crt

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Tim Ruehsen

Follow-up Comment #8, bug #43799 (project wget): Vincent, or is the revocation due to OCSP stapling ? I guess it is... so the OCSP responder has been asked by the server and the answer has been included in the TLS handshake. That's why we get "The certificate has been revoked.". Should we amend t

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Tim Ruehsen

Follow-up Comment #7, bug #43799 (project wget): Thanks for testing wget2 (to correct myself: it is branch 'tim/wget2'). Some part of your cert chain has been revoked. GnuTLS determines that even before asking any OSCP responder. So, the message from GnuTLS is somewhat wrong, maybe a GnuTLS bug ?

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-18 Thread Vincent Lefèvre

Follow-up Comment #6, bug #43799 (project wget): If I understand correctly, the "revoked" error I get with wget https://www.vinc17.net:4434/ is due to some check done by GNUTLS, but this is not sufficient. Wget doesn't report anything in case of lack of OCSP response (which would typically be

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-13 Thread Tim Ruehsen

Follow-up Comment #5, bug #43799 (project wget): OCSP Stapling is available in git branch 'wget2'. So Wget2 is in work (experimental, but working), but not yet publically promoted. A backport of OCSP code to Wget1.x will come sooner or later... ___

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-12 Thread Vincent Lefèvre

Follow-up Comment #4, bug #43799 (project wget): GnuTLS supports OCSP since Version 3.0.12 (released 2012-01-20) according to its NEWS file: ** libgnutls: Added OCSP support. In Debian, with the wget 1.15-1 package (which was already built with GNUTLS 3.2+), the revocation was not checked. Accor

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-12 Thread Deborah

Follow-up Comment #3, bug #43799 (project wget): Starting from which versions of wget and GnuTLS is OCSP supported? ___ Reply to this item at: ___ Messa

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-05-03 Thread Vincent Lefèvre

Follow-up Comment #2, bug #43799 (project wget): OK, it wasn't clear that GnuTLS had to implement OCSP, which is actually better since all software linked with GnuTLS can benefit from it. So, now I can see in Debian/unstable (which now has a new GnuTLS version): $ wget https://www.vinc17.net:4434

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

13 matches

Site Navigation

Mail list logo

Footer information