Summary
urlx does not support OCSP stapling (certificate status checking). The curl test harness reports cert-status: OFF via curlinfo, which may cause some tests to be skipped.
What needs to be done
- Implement OCSP stapling support in the TLS layer (rustls supports this via
CertificateTransparencyPolicy and server certificate verification)
- Support the
--cert-status CLI flag (request OCSP stapling from the server, fail if the server doesn't provide a valid stapled response)
- Report
cert-status as enabled in curlinfo/feature detection
curl behavior
When --cert-status is used, curl requests the TLS server to include an OCSP response in the handshake. If the server doesn't staple a valid OCSP response, curl fails with error 91 (CURLE_SSL_INVALIDCERTSTATUS).
Context
This was identified while analyzing the 93 skipped tests in the curl test suite (tests 1-1400). Implementing this feature could unskip tests that are currently disabled due to cert-status: OFF in the curlinfo feature detection.
Summary
urlx does not support OCSP stapling (certificate status checking). The curl test harness reports
cert-status: OFFviacurlinfo, which may cause some tests to be skipped.What needs to be done
CertificateTransparencyPolicyand server certificate verification)--cert-statusCLI flag (request OCSP stapling from the server, fail if the server doesn't provide a valid stapled response)cert-statusas enabled in curlinfo/feature detectioncurl behavior
When
--cert-statusis used, curl requests the TLS server to include an OCSP response in the handshake. If the server doesn't staple a valid OCSP response, curl fails with error 91 (CURLE_SSL_INVALIDCERTSTATUS).Context
This was identified while analyzing the 93 skipped tests in the curl test suite (tests 1-1400). Implementing this feature could unskip tests that are currently disabled due to
cert-status: OFFin the curlinfo feature detection.