Where's my revocation list?

Coding-Badly · October 22, 2022, 4:16am

The code of interest...

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let body = reqwest::blocking::get("https://revoked.badssl.com")?.text()?;
    println!("body = {:?}", body);
    println!();

    let body = reqwest::blocking::get("https://expired.badssl.com/")?.text()?;
    println!("body = {:?}", body);
    println!();

    Ok(())
}

The first call succeeds. My expectation is that it would not. Firefox certainly complains about the revoked certificate.

The second call fails as expected.

Is there something I have to do to get reqwest to use the operating system's revocation list? And why is that not the default?

Cargo.toml...

[package]
name = "revoked"
version = "0.1.0"
edition = "2021"

[dependencies]
reqwest = { version = "0.11.12", features = ["blocking"] }

The problem is confirmed on Windows 10 and Debian 10 using the latest version of Cargo / Rust.

quinedot · October 22, 2022, 5:13am

Browsers like Firefox bundle their own CA and CRL data, and I believe do dynamic checking too. OpenSSL does not.

You may not have any, or they may not be sufficiently up-to-date.

Historically at least, revocation with OpenSSL required the application to jump through hoops (fetch the CRL and feed it back to OpenSSL or such), and was rare. This may have changed, but I sort of doubt it. For example I can fetch the revoked domain with curl (built on OpenSSL) as well.

I'm ignorant about the Windows situation.

Unfortunately I don't know how to automatically check revocation with Reqwest (or if it's even possible). Hopefully someone else does.

Michael-F-Bryan · October 22, 2022, 9:51am

If you enable the native-tls feature, you should have access to the use_native_tls() method when setting up your Client. That switch to your OS's TLS stack, and I imagine that would also give you your operating system's revocation list.

bjorn3 · October 22, 2022, 3:01pm

On Linux the OS's TLS stack is OpenSSL, so it has the same problem.

Coding-Badly · October 22, 2022, 3:38pm

Cargo.toml...

[package]
name = "revoked"
version = "0.1.0"
edition = "2021"

[dependencies]
reqwest = { version = "0.11.12", features = ["blocking", "native-tls"] }

main.rs...

fn main() -> Result<(), Box<dyn std::error::Error>> {
/* */
    let client = reqwest::blocking::Client::builder()
        .use_native_tls()
        .build()?;

    let body = client.get("https://revoked.badssl.com").send()?.text()?;
    println!("body = {:?}", body);
    println!();

    let body = client.get("https://expired.badssl.com/").send()?.text()?;
    println!("body = {:?}", body);
    println!();
/* */

/* *
    let body = reqwest::blocking::get("https://revoked.badssl.com")?.text()?;
    println!("body = {:?}", body);
    println!();

    let body = reqwest::blocking::get("https://expired.badssl.com/")?.text()?;
    println!("body = {:?}", body);
    println!();
* */

    Ok(())
}

On Windows the two versions are indistinguishable. Ditto for Debian 10.

system · January 20, 2023, 3:39pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.