On Mon, May 04, 2015 at 03:15:19AM +0200, Vincent Lefevre wrote: > Control: retitle -1 curl should check certificate revocation status by default > > On 2014-04-26 13:19:35 +0200, Alessandro Ghedini wrote: > > TL;DR: let's do OCSP instead of downloading CRLs. It would still > > need someone to actually write the code though (ideally for all > > OpenSSL, GnuTLS and NSS). > > Well, I can see that curl now has a --cert-status option, which works: > > xvii:~> curl --cert-status https://www.vinc17.net:4434/ > curl: (91) SSL certificate revocation reason: (UNKNOWN) (-1) > > Without it, no errors. :( > > But most users and scripts don't use it (because it is new and/or they > don't know it?), thus are potentially vulnerable to MITM attack. > > Checking the certificate revocation status should be done by default > for security reasons, like what lynx and wget now do thanks to the new > GnuTLS version.
--cert-status only checks for the status_request TLS extension which is not supported by most servers (which means curl will fail by default on most requests). So no, curl will not enable the option by default, at least until status_request catches on. Cheers
signature.asc
Description: Digital signature