[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2016-07-14 Thread anonymous
Follow-up Comment #12, bug #43799 (project wget): fyi, this bug can be tested with https://revoked.grc.com/ other potentially useful resources: https://www.grc.com/revocation.htm ___ Reply to this item at:

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-20 Thread Tim Ruehsen
On Wednesday 19 August 2015 18:19:16 Petr Pisar wrote: On Wed, Aug 19, 2015 at 03:37:06PM +, Tim Ruehsen wrote: Regarding MITM and other attacks... did you notice that OCSP responder URLs are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did you ? There is

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Vincent Lefèvre
Follow-up Comment #9, bug #43799 (project wget): I tested only wget 1.16.3 (the Debian/unstable package) for the moment. The error comes from OCSP stapling. If I do the same tests with port 4433 (where I have a temporary test server with openssl s_server -CAfile old.crt -key old.key -cert old.crt

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Tim Ruehsen
Follow-up Comment #10, bug #43799 (project wget): Wget does not have 'normal' OCSP built in. Well, OCSP stapling works transparently within GnuTLS and is turned on by default. When GnuTLS comes back with GNUTLS_CERT_REVOKED and all we can do is to say The certificate of %s has been revoked.

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Vincent Lefèvre
Follow-up Comment #11, bug #43799 (project wget): Concerning the OCSP responder, I suppose that the response has some sort of signature, in which case there would be no insecurity. ___ Reply to this item at:

Re: [Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Petr Pisar
On Wed, Aug 19, 2015 at 03:37:06PM +, Tim Ruehsen wrote: Regarding MITM and other attacks... did you notice that OCSP responder URLs are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did you ? There is no need for HTTPS. The OCSP response is signed by the CA's OCSP

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Tim Ruehsen
Follow-up Comment #8, bug #43799 (project wget): Vincent, or is the revocation due to OCSP stapling ? I guess it is... so the OCSP responder has been asked by the server and the answer has been included in the TLS handshake. That's why we get The certificate has been revoked.. Should we amend

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-19 Thread Tim Ruehsen
Follow-up Comment #7, bug #43799 (project wget): Thanks for testing wget2 (to correct myself: it is branch 'tim/wget2'). Some part of your cert chain has been revoked. GnuTLS determines that even before asking any OSCP responder. So, the message from GnuTLS is somewhat wrong, maybe a GnuTLS bug

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-18 Thread Vincent Lefèvre
Follow-up Comment #6, bug #43799 (project wget): If I understand correctly, the revoked error I get with wget https://www.vinc17.net:4434/ is due to some check done by GNUTLS, but this is not sufficient. Wget doesn't report anything in case of lack of OCSP response (which would typically be

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-13 Thread Tim Ruehsen
Follow-up Comment #5, bug #43799 (project wget): OCSP Stapling is available in git branch 'wget2'. So Wget2 is in work (experimental, but working), but not yet publically promoted. A backport of OCSP code to Wget1.x will come sooner or later...

[Bug-wget] [bug #43799] wget should implement OCSP + OCSP stapling

2015-08-12 Thread Deborah
Follow-up Comment #3, bug #43799 (project wget): Starting from which versions of wget and GnuTLS is OCSP supported? ___ Reply to this item at: http://savannah.gnu.org/bugs/?43799 ___