New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http revoked SSL certificate passes verification #18323
Comments
On MacOS (10.11.6) Safari accepts the certificate, however Firefox and Chrome don't. Maybe it's still accepted by Apple? |
Seems right. Safari 10.0.1 accepts certificate where as FF (which I mostly use) rejects it. Makes me wonder if Chrome/FF use their own CA bundles? Or they just use some other way to verify certificate without using local CA bundle? I thought that revocation happens at the intermediate cert, so it should not be updated in ca bundle every time when some cert if invalidated ahead of expiration. |
This is known. Feel free to file a feature request for a There is nothing that can be done for the default case until Must-Staple extensions in x509 come along. |
Working as intended. As @FiloSottile, you'll have to modify your tls.Config. We aren't going to do OCSP checks by default. I can't find @agl's OCSP blog posts anymore. They seem to 404 now. |
What version of Go are you using (
go version
)?go version go1.7.4 darwin/amd64
What operating system and processor architecture are you using (
go env
)?What did you do?
What did you expect to see?
Error message since cert is invalid and exit status code 1 (since log.Fatal)
What did you see instead?
No message and exit code 0, it actually fetches the page for revoked certificate.
The text was updated successfully, but these errors were encountered: