On Tue, Dec 11, 2012 at 6:10 AM, Hans Leidekker <hans@codeweavers.com> wrote:
On Tue, 2012-12-11 at 14:52 +0100, Jacek Caban wrote:
> On 12/11/12 09:45, Hans Leidekker wrote:
> > https://testbot.winehq.org/JobDetails.pl?Key=23300 is a test which shows that
> > revocation checks fail for the certificate on outlook.com when passed straight
> > to CertVerifyRevocation. The reason is that a CRL link specified in the
> > certificate does not resolve.
> >
> > https://testbot.winehq.org/JobDetails.pl?Key=23301 is a test which makes
> > a secure connection to outlook.com from wininet and shows that this succeeds.
> >
> > My conclusion is that native wininet doesn't perform revocation checks.
>
> Your tests prove that we should relax our verification on
> CERT_TRUST_IS_OFFLINE_REVOCATION or something similar. To prove that
> revocation checks are not made, a test with truly revoked cert would be
> needed.

True, though to perform the revocation check the CRL has to be retrieved and my
tests with wireshark didn't show any signs of that.

Would adding to the tests as part of this patch be a bad thing?
--Juan