Control: retitle -1 curl should check certificate revocation status by default
On 2014-04-26 13:19:35 +0200, Alessandro Ghedini wrote: > TL;DR: let's do OCSP instead of downloading CRLs. It would still > need someone to actually write the code though (ideally for all > OpenSSL, GnuTLS and NSS). Well, I can see that curl now has a --cert-status option, which works: xvii:~> curl --cert-status https://www.vinc17.net:4434/ curl: (91) SSL certificate revocation reason: (UNKNOWN) (-1) Without it, no errors. :( But most users and scripts don't use it (because it is new and/or they don't know it?), thus are potentially vulnerable to MITM attack. Checking the certificate revocation status should be done by default for security reasons, like what lynx and wget now do thanks to the new GnuTLS version. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
