I'm proposing this PR after coming across mds.fidoalliance.org:443's certificate which doesn't contain a CRL. It recently switched to OCSP as far as I can see:
Using true for crl_check, validation fails. We don't have OCSP implemented yet in BEAM, but still I think we need to let these chain validate. What do you think?
The issue with the current recommendation is that a configured HTTP client can fail when certificate is updated to OCSP-only (which recently happened with wax).
I'm proposing this PR after coming across mds.fidoalliance.org:443's certificate which doesn't contain a CRL. It recently switched to OCSP as far as I can see:
Using
true
forcrl_check
, validation fails. We don't have OCSP implemented yet in BEAM, but still I think we need to let these chain validate. What do you think?The issue with the current recommendation is that a configured HTTP client can fail when certificate is updated to OCSP-only (which recently happened with
wax
).