In version 8.5.0, cURL has inadvertently established a pathway for accepting revoked certificates.
As a result of this correction, during TLS session reuse, OCSP stapling verification will be skipped.
However, the TLS session will be preserved regardless of OCSP verification results.
As a result, even for revoked certificates, verification is skipped during TLS session reuse.
1.Identify sites with revoked certificates.
2. curl (1.URL) (1.URL)--cert-status
I have prepared an environment for testing. Please use as necessary.
https://ocsptest.ddns.net/
curl https://ocsptest.ddns.net/ https://ocsptest.ddns.net/ --cert-status
This website returns only the string “test.”
Here are the execution results.
C:\curl-8.5.0_3-win64-mingw\bin>curl https://ocsptest.ddns.net/ https://ocsptest.ddns.net/ --cert-status
curl: (91) SSL certificate revocation reason: (UNKNOWN) (-1)
test
The first request becomes error, but the second one unjustly passes through the normal case.
Bypassing OCSP verification.