On 13.07.2019 23:31, kotkov_at_apache.org wrote:
> Author: kotkov
> Date: Sat Jul 13 21:31:25 2019
> New Revision: 1863018
>
> URL: http://svn.apache.org/viewvc?rev=1863018&view=rev
> Log:
> Win32: tweak the SSL certificate validation override to avoid hitting the wire
> for URL based objects and revocation checks.
>
> The primary purpose of this callback is to resolve SVN_AUTH_SSL_UNKNOWNCA
> failures using CryptoAPI and Windows local certificate stores. To do so, we
> should be fine with just using the immediately available data on the local
> machine.
>
> Doing the opposite of that appears to be troublesome, as always connecting
> to remote CRL and OCSP endpoints can result in spurious errors or significant
> (user-reported) network stalls caused by timeouts if the endpoints are
> inaccessible or unreliable.
>
> The new approach should also be in par with the default basic behavior of
> several major browsers, for example:
> https://chromium.googlesource.com/chromium/src/net/+/3d1dad1c17ae3ff59e7c35841af94b66f4bca1ba/cert/cert_verify_proc_win.cc#919
Uh. I don't think so.
First of all, the reference to Chromium source is a red herring ... that
code disables CRL/OCSP checks *if some caller required it to*. You'll
find that browsers do, indeed, check CRL or OCSP info, if it's available.
Your change disables all online verification, regardless, and that seems
quite wrong.
If the server certificate contains CRL or OCSP information, the client
SHOULD verify them. If verification services are flaky, users should
report that to the server admin (who can then report it to the
certificate issuer). We don't "fix" that by removing validation
altogether in our client.
So ... -1, please revert and let's discuss this change on the list
first. It's far more significant than you seem to think.
-- Brane
Received on 2019-07-14 00:29:24 CEST