Stapled OCSP responses are ignored by default #15483
Description
I did this
curl -v https://3dsec.postfinance.ch/challengeRequestBrowser
This sends an OCSP stapled revocation as of right now because my bank is a clown show and doesn't know how to run a business. Firefox doesn't accept it because the cert is revoked, but curl did.
Note: postfinance might fix their oopsie by the time you read this, but I doubt it, since it's been 24+ hours and they seemingly have no monitoring.
I expected the following
Revocation error, as with curl -v --cert-status https://3dsec.postfinance.ch/challengeRequestBrowser. It's fine (and probably preferable) to not query the CA for OCSP, thereby leaking information to it, but if OCSP revocation is part of the response it should probably respect it by default like Firefox does.
stracing the curl process shows that the OCSP information isn't coming from the CA but seemingly the stapled response.
As an aside note, if anyone has any test domains that sends an OCSP-stapled revocation, that'd be nice, so that this bug report doesn't have to count on the incompetence of a large banking entity.
curl/libcurl version
curl 8.10.1 (x86_64-pc-linux-gnu) libcurl/8.10.1 OpenSSL/3.4.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.64.0 nghttp3/1.6.0
Release-Date: 2024-09-18
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd
operating system
Linux archbox 6.11.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 01 Nov 2024 03:30:41 +0000 x86_64 GNU/Linux