[pkg-lynx-maint] Bug#795958: lynx-cur: certificate revocation checking is buggy
Vincent Lefevre
vincent at vinc17.net
Tue Aug 18 12:27:39 UTC 2015
On 2015-08-18 13:48:33 +0200, Alessandro Ghedini wrote:
> On Tue, Aug 18, 2015 at 01:32:19pm +0200, Vincent Lefevre wrote:
> > openssl s_server -CAfile old.crt -key old.key -cert old.crt -www
>
> Try adding the "-status" option here.
This doesn't change anything.
> I think the problem is that both lynx and curl only support OCSP stapling,
> while firefox also does full-blown OCSP. So, if you don't enable OCSP stapling
> in s_server (with the -status option), lynx and curl won't receive any response,
> while firefox will also try to contact the CA's OCSP server and receive a
> response from that.
Supporting OCSP stapling only without an error in case of no response
is completely useless, and worse, this gives a false sense of security,
because an attacker won't provide OCSP stapling in his own fake server.
> It's more like lack of a feature than an actual bug (hardly RC
> material though, IMO).
Full OCSP is a lack of feature. Not giving an error (possibly with
whitelists/blacklists of known sites) is a bug. Ideally there would
be 4 choices in case of lack of OCSP response:
1. Accept and whitelist.
2. Accept.
3. Reject.
4. Reject and blacklist.
The whitelist/blacklist is there to remember the answer for future
connections.
(When/if full OCSP is implemented, there should be the same kind of
choices in case the OCSP server cannot be reached.)
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the pkg-lynx-maint
mailing list