wininet: Don't perform revocation checks when verifying a certificate.
Hans Leidekker
hans at codeweavers.com
Tue Dec 11 08:10:27 CST 2012
On Tue, 2012-12-11 at 14:52 +0100, Jacek Caban wrote:
> On 12/11/12 09:45, Hans Leidekker wrote:
> > https://testbot.winehq.org/JobDetails.pl?Key=23300 is a test which shows that
> > revocation checks fail for the certificate on outlook.com when passed straight
> > to CertVerifyRevocation. The reason is that a CRL link specified in the
> > certificate does not resolve.
> >
> > https://testbot.winehq.org/JobDetails.pl?Key=23301 is a test which makes
> > a secure connection to outlook.com from wininet and shows that this succeeds.
> >
> > My conclusion is that native wininet doesn't perform revocation checks.
>
> Your tests prove that we should relax our verification on
> CERT_TRUST_IS_OFFLINE_REVOCATION or something similar. To prove that
> revocation checks are not made, a test with truly revoked cert would be
> needed.
True, though to perform the revocation check the CRL has to be retrieved and my
tests with wireshark didn't show any signs of that.
More information about the wine-devel
mailing list