wininet: Don't perform revocation checks when verifying a certificate.
Juan Lang
juan.lang at gmail.com
Tue Dec 11 13:52:27 CST 2012
On Tue, Dec 11, 2012 at 6:10 AM, Hans Leidekker <hans at codeweavers.com>wrote:
> On Tue, 2012-12-11 at 14:52 +0100, Jacek Caban wrote:
> > On 12/11/12 09:45, Hans Leidekker wrote:
> > > https://testbot.winehq.org/JobDetails.pl?Key=23300 is a test which
> shows that
> > > revocation checks fail for the certificate on outlook.com when passed
> straight
> > > to CertVerifyRevocation. The reason is that a CRL link specified in the
> > > certificate does not resolve.
> > >
> > > https://testbot.winehq.org/JobDetails.pl?Key=23301 is a test which
> makes
> > > a secure connection to outlook.com from wininet and shows that this
> succeeds.
> > >
> > > My conclusion is that native wininet doesn't perform revocation checks.
> >
> > Your tests prove that we should relax our verification on
> > CERT_TRUST_IS_OFFLINE_REVOCATION or something similar. To prove that
> > revocation checks are not made, a test with truly revoked cert would be
> > needed.
>
> True, though to perform the revocation check the CRL has to be retrieved
> and my
> tests with wireshark didn't show any signs of that.
>
Would adding to the tests as part of this patch be a bad thing?
--Juan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20121211/c03b7cfd/attachment.html>
More information about the wine-devel
mailing list