Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
set TLS option CURLSSLOPT_REVOKE_BEST_EFFORT
The Windows native TLS backend (Schannel) makes synchronous certificate revocation checks against a CRL server. For users behind a firewall, this server may be unreachable, causing the TLS connection to fail. The CURLSSLOPT_REVOKE_BEST_EFFORT option addresses precisely this situation, configuring Schannel to make a best effort revocation check but allowing the connection if the CRL server cannot be reached, as long as the certificate isn't already known to be revoked. This behavior matches the default revocation checking behavior on macOS (asynchronous best effort) and is strictly more secure than Linux where no CRL checking is done. Since the typical advice in such situations is to disable TLS host verification entirely, this is an improvement in that with this option, so long as the client's system CA roots are configured correctly, host verification will work and at least local MITM attcks are prevented.
- Loading branch information