Your message dated Mon, 4 May 2015 02:25:17 +0200
with message-id <[email protected]>
and subject line Re: wget should implement OCSP + OCSP stapling
has caused the Debian Bug report #781291,
regarding wget should implement OCSP + OCSP stapling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
781291: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781291
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wget
Version: 1.16.3-2
Severity: wishlist
Tags: upstream
Forwarded: https://savannah.gnu.org/bugs/?43799
CRL checking has been implemented (--crl-file option), but except
in some particular cases, it is not very useful in practice as
there seems to be no way to get a comprehensive CRL file.
So, OCSP + OCSP stapling should be implemented. There should be
an option allowing the user to choose what to do if no stapling
information is provided: either return a failure, or use conventional
OCSP (with a failure if this fails too).
Notes:
* OCSP stapling isn't implemented on every server, but neither is
https anyway. Users should be encourage to complain at server
admins if this is not the case.
* Conventional OCSP has (minor) privacy issues, hence the choice to
get a failure instead of using conventional OCSP as a fallback.
Unchecked certificate revocation could lead to much more critical
privacy leak in case of MITM attack. And also note that DNS and
e-mail also have privacy issues (but people still use them) and
most users leave more important private data so that they probably
don't care.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages wget depends on:
ii libc6 2.19-17
ii libgnutls-deb0-28 3.3.8-6
ii libidn11 1.29-1+b2
ii libnettle4 2.7.1-5
ii libpcre3 2:8.35-3.3
ii libpsl0 0.5.1-1
ii libuuid1 2.25.2-5
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages wget recommends:
ii ca-certificates 20141019
wget suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
I'm closing the bug because there is actually nothing to do on the
wget side: the new GnuTLS version (in unstable) implements OCSP (I
don't know which parts exactly, but anyway, if there is anything to
improve, it is on this side), and wget reports the error as expected:
xvii:~> wget https://www.vinc17.net:4434/
--2015-05-04 02:21:07-- https://www.vinc17.net:4434/
Resolving www.vinc17.net (www.vinc17.net)... 92.243.22.117,
2001:4b98:dc0:45:216:3eff:fe9b:eb2f
Connecting to www.vinc17.net (www.vinc17.net)|92.243.22.117|:4434... connected.
ERROR: The certificate of ‘www.vinc17.net’ has been revoked.
--
Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
--- End Message ---