Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I guess that's one more reason to install an ssl unwrapping proxy -- allows you to log what comes sailing in over ssl (if you should be so inclined) -- and at least the proxy could make sure to drop connections to sites with revoked certs.

It would make it more difficult to connect to sites that use alternative CAs/self-signed certs, though..



Ok, so gnutls-cli from libgnutls 3.2 has a --ocsp parameter, that turns on ocsp. And it sort of "works":

    $ gnutls-cli -p 443 --ocsp revoked.grc.com
    (..)
    Resolving 'revoked.grc.com'...
    Connecting to '4.79.142.205:443'...
    - Certificate type: X.509
    - Got a certificate list of 2 certificates.
    - Certificate[0] info:
    (...)
    - Status: The certificate is trusted.
    Connecting to OCSP server: ocsp.digicert.com...
    Resolving 'ocsp.digicert.com'...
    Connecting to '93.184.220.29:80'...
    *** Verifying OCSP Response: Failure, Signature failure.
    *** OCSP response ignored
                      ^^^^^^^ ! WTF?
So, by working, I mean that it doesn't work.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: