[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3
From: |
@rockdaboot |
Subject: |
Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577) |
Date: |
Thu, 30 Dec 2021 13:46:16 +0000 |
Tim Rühsen commented:
```
google.com, youtube.com (other google sites follow a similar pattern)
30.142551.277 *** OCSP validity time: Do 30 Dez 2021 08:08:46 CET
30.142551.277 *** OCSP update time : Mo 03 Jan 2022 08:08:46 CET
facebook.com
30.142728.289 *** OCSP validity time: Di 28 Dez 2021 19:52:46 CET
30.142728.289 *** OCSP update time : Di 04 Jan 2022 19:52:46 CET
baidu.com
30.142807.838 *** OCSP validity time: Mi 29 Dez 2021 01:23:19 CET
30.142807.838 *** OCSP update time : Mi 05 Jan 2022 01:23:19 CET
yahoo.com
30.142927.688 *** OCSP validity time: Mi 29 Dez 2021 19:52:46 CET
30.142927.688 *** OCSP update time : Mi 05 Jan 2022 19:52:46 CET
wikipedia.org (uses OCSP stapling only)
qq.com
30.143238.303 *** OCSP validity time: Mi 29 Dez 2021 20:40:33 CET
30.143238.303 *** OCSP update time : Mi 05 Jan 2022 20:40:33 CET
sohu.com
30.143338.384 *** OCSP validity time: Di 28 Dez 2021 20:32:50 CET
30.143338.384 *** OCSP update time : Di 04 Jan 2022 20:32:50 CET
```
That means if a server certificate is revoked and web servers don't update
their (stapled) OCSP response, it takes max 1 week before all the clients who
check the date will recognize it (and reject connections).
Oh and btw, from the GH issue:
```
OCSP response is too old. Ignoring.
Could not verify stapled OCSP response. Aborting.
Could not complete TLS handshake: invalid status response
```
This is a bug in our openssl code. The first message indicates that the stapled
OCSP response is outdated - and we should fall back to request the OCSP
responder instead of 'Aborting'. WDYT ?
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/issues/577#note_798314799
You're receiving this email because of your account on gitlab.com.
- wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577),
@rockdaboot <=
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/30
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), @rockdaboot, 2021/12/31
- Re: wget2 | OCSP: Why is wget checking that thisUpd is not older than 3 days? (#577), Ander Juaristi (@juaristi), 2021/12/31