On Tue, 2012-12-11 at 14:52 +0100, Jacek Caban wrote: > On 12/11/12 09:45, Hans Leidekker wrote: > > https://testbot.winehq.org/JobDetails.pl?Key=23300 is a test which shows > > that > > revocation checks fail for the certificate on outlook.com when passed > > straight > > to CertVerifyRevocation. The reason is that a CRL link specified in the > > certificate does not resolve. > > > > https://testbot.winehq.org/JobDetails.pl?Key=23301 is a test which makes > > a secure connection to outlook.com from wininet and shows that this > > succeeds. > > > > My conclusion is that native wininet doesn't perform revocation checks. > > Your tests prove that we should relax our verification on > CERT_TRUST_IS_OFFLINE_REVOCATION or something similar. To prove that > revocation checks are not made, a test with truly revoked cert would be > needed.
True, though to perform the revocation check the CRL has to be retrieved and my tests with wireshark didn't show any signs of that.
