Open diracdeltas opened 3 years ago
pretty sure this is because Chromium delegates stuff to the system TLS stack (which doesn't respect chromium proxy settings) on macos/win
Interesting, I was under the impression that OCSP was disabled in Chromium:
Online (i.e. OCSP and CRL) checks are not, generally, performed by Chrome. They can be enabled by policy and, in some cases, the underlying system certificate library always performs these checks no matter what Chromium does.
@fmarier i think the key sentence is in some cases, the underlying system certificate library always performs these checks no matter what Chromium does.
there may not be a straightforward way from chromium to tell the underlying system library not to do OCSP checks for particular URLs or processes
I think this also applies to non-EV certs when system ocsp cache doesn't have that entry. For EV certs, when it is also not found in CRL set, chromium will do an extra OCSP lookup which doesn't allow soft-fail unlike the first lookup. Also disabling OCSP and only check CRLs is not sufficient because CAs aren't required to publish CRLs, many don't.
We can wait for CertVerifierBuiltin
to be stable on Mac and upstream will look at Windows support
https://chromium-review.googlesource.com/c/chromium/src/+/2171996/4/net/features.gni
Linux is using it by default
https://chromium-review.googlesource.com/c/chromium/src/+/2171996/4/net/cert/cert_verifier.cc
STR:
0A 7A 97 E8 F3 EE C2 BD 60 A6 FD 5E 82 36 35 0C
you can also repro this for non-onion website like https://gdpr.org (
04 28 EA A2 19 7C 7B 01 17 AB 7E 86 B1 2B 9F E7 51 99
):note that you may not see results for system-cached OCSP responses if you've already visited the site.