On 2015-08-18 13:48:33 +0200, Alessandro Ghedini wrote: > On Tue, Aug 18, 2015 at 01:32:19pm +0200, Vincent Lefevre wrote: > > openssl s_server -CAfile old.crt -key old.key -cert old.crt -www > > Try adding the "-status" option here.
This doesn't change anything. > I think the problem is that both lynx and curl only support OCSP stapling, > while firefox also does full-blown OCSP. So, if you don't enable OCSP stapling > in s_server (with the -status option), lynx and curl won't receive any > response, > while firefox will also try to contact the CA's OCSP server and receive a > response from that. Supporting OCSP stapling only without an error in case of no response is completely useless, and worse, this gives a false sense of security, because an attacker won't provide OCSP stapling in his own fake server. > It's more like lack of a feature than an actual bug (hardly RC > material though, IMO). Full OCSP is a lack of feature. Not giving an error (possibly with whitelists/blacklists of known sites) is a bug. Ideally there would be 4 choices in case of lack of OCSP response: 1. Accept and whitelist. 2. Accept. 3. Reject. 4. Reject and blacklist. The whitelist/blacklist is there to remember the answer for future connections. (When/if full OCSP is implemented, there should be the same kind of choices in case the OCSP server cannot be reached.) -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
