Webpositive doesn't check for revoked certificates
|Reported by:||xray7224||Owned by:||pulkomandy|
|Keywords:||tls, ssl, certificate, revocation||Cc:|
|Has a Patch:||no||Platform:||All|
Webpositive should check if a TLS/SSL certficate has been revoked. It would be good if there was a drop down option to select between "hard fail", "soft fail" and "disabled". Those being:
hard fail: if CRL/OCSP list is down it'll assmue it's revoked. soft fail: if the CLR/OSCP list is down then it'll trust it. disabled: No certificate revocation checking will occur.
I think that hard fail should be the default as it's the safest option and from my experiance the CRL/OSCP lists rarely are unavailable.