[oh, so this was an MBF without discussing it on -devel, nice] On 25 April 2014 19:54, Vincent Lefevre <vinc...@vinc17.net> wrote: [...] > I suppose that though this is documented in the curl(1) man page > (quite poorly), most users don't know that curl doesn't have any > check for certificate revocation by default. Before the Heartbleed > bug, this could be regarded a not very important. But now there > may have been much more leaks than before. So, curl should use an > up-to-date Certificate Revocation List by default (which it supports) > or some other alternate method like Firefox.
I'm afraid that what you are asking is just a dream. CRLs aren't usually used because there is no central mechanism to fetch and keep them up to date on a system. Moreover, not all CAs provide them, which causes sites using them to be broken - because no CRL + CRL checking = verify error. OCSP transponder support and/or OCSP stapling support would be nice but they are false solutions. Please bring up the subject on -devel before mass bug filing, it would have avoided it (in its current form at least). Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
