WinTLS: Accept chains with no revocation information.

This is kind what browser do anyway (IE, Firefox, Chrome tested), what AppleTLS does, what GnuTLS does and what OpenSSL does. Actually, most browsers will also be OK with the CRL/OCSP provider being offline. WinTLS will still fail in that case. Should revocation information be available in the trust chain (CRL or OCSP) the certificate still will be checked! "Real" CAs, aka. those provided by the OS or system CA bundle, usually provide revocation information and are thus still checked. It should be mostly (only?) custom (organization) CAs that lack revocation information, but those users might want to use aria2 in their intranets and VPNs anyway ;) See #217
2014-04-12 17:55:11 +02:00 · 2014-04-12 17:55:11 +02:00 · 0a51b8d172
parent 13a202df07
commit 0a51b8d172
1 changed files with 2 additions and 1 deletions
--- a/src/WinTLSContext.cc
+++ b/src/WinTLSContext.cc
@ -94,7 +94,8 @@ void WinTLSContext::setVerifyPeer(bool verify)
    credentials_.dwFlags =
      SCH_CRED_NO_DEFAULT_CREDS |
      SCH_CRED_AUTO_CRED_VALIDATION |
-      SCH_CRED_REVOCATION_CHECK_CHAIN;
+      SCH_CRED_REVOCATION_CHECK_CHAIN |
+      SCH_CRED_IGNORE_NO_REVOCATION_CHECK;
  }
  else {
    credentials_.dwFlags =