Your message dated Thu, 11 Dec 2014 18:34:14 +0000
with message-id <[email protected]>
and subject line Bug#772055: fixed in gnutls28 3.3.11-1
has caused the Debian Bug report #772055,
regarding libgnutls-deb0-28:amd64: Certificate Status Request (OCSP stapling)
check fails with mozilla.org
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
772055: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772055
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libgnutls-deb0-28
Version: 3.3.8-5
Severity: normal
Hi,
I've been playing with GnuTLS OCSP stapling support, but I noticed that it seems
to reject apparently valid responses (e.g. the mozilla.org one).
I attached a "simple" code example that connects to a server and checks the
stapled OCSP response using gnutls_ocsp_status_request_is_checked().
Compile with "cc ocsp.c -lgnutls" and run with "./a.out <host> <port>".
For example if I run it against mozilla.org, I get:
% ./a.out mozilla.org 443
Certificate check FAIL
but other hosts work fine:
% ./a.out tn123.org 443
Certificate check OK
and OpenSSL works fine with both.
Cheers
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libgnutls-deb0-28:amd64 depends on:
ii libc6 2.19-13
ii libgmp10 2:6.0.0+dfsg-6
ii libhogweed2 2.7.1-3
ii libnettle4 2.7.1-3
ii libp11-kit0 0.20.7-1
ii libtasn1-6 4.2-2
ii multiarch-support 2.19-13
ii zlib1g 1:1.2.8.dfsg-2+b1
libgnutls-deb0-28:amd64 recommends no packages.
Versions of packages libgnutls-deb0-28:amd64 suggests:
ii gnutls-bin 3.3.8-5
-- no debconf information
/* This example code is placed in the public domain. */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gnutls/gnutls.h>
#include <gnutls/ocsp.h>
#include <gnutls/x509.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
extern int tcp_connect(char *, char *);
int main(int argc, char *argv[]) {
int ret, sd, type;
unsigned int status;
gnutls_datum_t out;
gnutls_session_t session;
gnutls_typed_vdata_st data[2];
gnutls_certificate_credentials_t xcred;
/* for backwards compatibility with gnutls < 3.3.0 */
gnutls_global_init();
/* X509 stuff */
gnutls_certificate_allocate_credentials(&xcred);
/* sets the trusted cas file */
gnutls_certificate_set_x509_trust_file(xcred, CAFILE, GNUTLS_X509_FMT_PEM);
/* Initialize TLS session */
gnutls_init(&session, GNUTLS_CLIENT);
gnutls_server_name_set(session, GNUTLS_NAME_DNS, argv[1], strlen(argv[1]));
/* use default priorities */
gnutls_set_default_priority(session);
/* put the x509 credentials to the current session */
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
/* connect to the peer */
sd = tcp_connect(argv[1], argv[2]);
gnutls_transport_set_int(session, sd);
gnutls_handshake_set_timeout(session, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
/* Perform the TLS handshake */
do {
ret = gnutls_handshake(session);
} while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
memset(data, 0, sizeof(data));
data[0].type = GNUTLS_DT_DNS_HOSTNAME;
data[0].data = (void*)argv[1];
data[1].type = GNUTLS_DT_KEY_PURPOSE_OID;
data[1].data = (void*)GNUTLS_KP_TLS_WWW_SERVER;
ret = gnutls_certificate_verify_peers(session, data, 2, &status);
if (ret < 0) {
printf("Error\n");
return GNUTLS_E_CERTIFICATE_ERROR;
}
type = gnutls_certificate_type_get(session);
gnutls_certificate_verification_status_print(status, type, &out, 0);
if (gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
if (status & GNUTLS_CERT_REVOKED)
fprintf(stderr, "Certificate revoked\n");
fprintf(stderr, "Certificate check FAIL\n");
} else {
fprintf(stderr, "Certificate check OK\n");
}
gnutls_bye(session, GNUTLS_SHUT_RDWR);
return 0;
}
int tcp_connect(char *host, char *port) {
int err, sd;
struct addrinfo hints, *res, *r;
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_INET;
hints.ai_socktype = SOCK_STREAM;
err = getaddrinfo(host, port, &hints, &res);
if (err != 0) {
perror("getaddrinfo()");
exit(-1);
}
for (r = res; r != NULL; r = r->ai_next) {
sd = socket(r->ai_family, r->ai_socktype, r->ai_protocol);
if (sd == -1)
continue;
if (connect(sd, r->ai_addr, r->ai_addrlen) == 0)
break;
close(sd);
}
freeaddrinfo(res);
return sd;
}
--- End Message ---
--- Begin Message ---
Source: gnutls28
Source-Version: 3.3.11-1
We believe that the bug you reported is fixed in the latest version of
gnutls28, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Metzler <[email protected]> (supplier of updated gnutls28 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Dec 2014 19:07:23 +0100
Source: gnutls28
Binary: libgnutls28-dev libgnutls-deb0-28 libgnutls28-dbg gnutls-bin gnutls-doc
guile-gnutls libgnutlsxx28 libgnutls-openssl27
Architecture: source i386 all
Version: 3.3.11-1
Distribution: experimental
Urgency: medium
Maintainer: Debian GnuTLS Maintainers <[email protected]>
Changed-By: Andreas Metzler <[email protected]>
Description:
gnutls-bin - GNU TLS library - commandline utilities
gnutls-doc - GNU TLS library - documentation and examples
guile-gnutls - GNU TLS library - GNU Guile bindings
libgnutls-deb0-28 - GNU TLS library - main runtime library
libgnutls-openssl27 - GNU TLS library - OpenSSL wrapper
libgnutls28-dbg - GNU TLS library - debugger symbols
libgnutls28-dev - GNU TLS library - development files
libgnutlsxx28 - GNU TLS library - C++ runtime library
Closes: 772055
Changes:
gnutls28 (3.3.11-1) experimental; urgency=medium
.
* New upstream version.
+ Includes fix for OCSP response parsing issue. Closes: #772055
Checksums-Sha1:
f57a389bb0ab8d616c9a49f16e929589f44679b2 2920 gnutls28_3.3.11-1.dsc
82db10dc9b10d03cacbb86b567ef692401f34add 6176080 gnutls28_3.3.11.orig.tar.xz
c787edb1547a69470e247a7dbce35dccf7529162 84056 gnutls28_3.3.11-1.debian.tar.xz
63b183bd0bbd97e9b61f4682e82857ac34a2a97b 688890
libgnutls28-dev_3.3.11-1_i386.deb
3f3a059331de7993d3d06abfe6676ff6680b9daf 717712
libgnutls-deb0-28_3.3.11-1_i386.deb
03291a15b155648607eebb78102cb5bb7fb43d1f 1935872
libgnutls28-dbg_3.3.11-1_i386.deb
ac6eeda1dc91d0e578616e544ff2f6af736af93e 318700 gnutls-bin_3.3.11-1_i386.deb
a505ccc0c3cd109414f7dc580d222a916c49fc0a 3639394 gnutls-doc_3.3.11-1_all.deb
dda60925d867310bb25e1056a3ab47eab193da7f 181432 guile-gnutls_3.3.11-1_i386.deb
ceccc8b04cfaed8fca23ba4759430b383ea91ffe 15434 libgnutlsxx28_3.3.11-1_i386.deb
fede6cf5b501d5307444422ef535638206bd1980 148316
libgnutls-openssl27_3.3.11-1_i386.deb
Checksums-Sha256:
4749cf4ca90fc05498dc700792e70613341841414a16be3b087826d0a8547242 2920
gnutls28_3.3.11-1.dsc
aef28d629b6ba824bd435f9b23506525e657e3746d4aa021296b13cbaaa6ae71 6176080
gnutls28_3.3.11.orig.tar.xz
2962721264b94c0a6cc7109b2e7ac46f1cd84aea191794893825df2880152999 84056
gnutls28_3.3.11-1.debian.tar.xz
7c8ff73ca1d114926f2dd7c2f34353eb26ae826874b33085cd14197d436c4635 688890
libgnutls28-dev_3.3.11-1_i386.deb
c0b950839af6af8d589961ec5ac4ff4e6cf0fb4cd95035d56c42a4d5cccea391 717712
libgnutls-deb0-28_3.3.11-1_i386.deb
8746d5b06d2285e27181ae1d6a147484b4a004b4919edde59de9a8ebf918cced 1935872
libgnutls28-dbg_3.3.11-1_i386.deb
48eabf5d0b49bd6500504a98a467e993d8393512e7542f70fabc6a3cd110e555 318700
gnutls-bin_3.3.11-1_i386.deb
92c235f316f1879c3700f3c2255028af70b900390d635cd2e5ba783961a81737 3639394
gnutls-doc_3.3.11-1_all.deb
a07662891e14effd9de838e9f9c29d9ba6bf8ba58cde7e8a07a1722b24a739b3 181432
guile-gnutls_3.3.11-1_i386.deb
8ef4beb0d09cdd7469b2ea3cbb7e29c91a678200700cda6f2a4d73899b4756b6 15434
libgnutlsxx28_3.3.11-1_i386.deb
3b9d2039f9ee0b4423c955b9b09bd90faca18cc04a0bb375e2737010ffb75cc0 148316
libgnutls-openssl27_3.3.11-1_i386.deb
Files:
f8a2f6806d98ea082222905ef9f7331a 2920 libs optional gnutls28_3.3.11-1.dsc
b657e3010c10cae2244e7ce79ee3d446 6176080 libs optional
gnutls28_3.3.11.orig.tar.xz
b37667b7dd6cd823ef3c46bd66bd1782 84056 libs optional
gnutls28_3.3.11-1.debian.tar.xz
3fd7beedee55d883660c2adde8188e51 688890 libdevel optional
libgnutls28-dev_3.3.11-1_i386.deb
232202565c37d168b1f293d0d4676342 717712 libs standard
libgnutls-deb0-28_3.3.11-1_i386.deb
e67fcad256117df8efbd3232efecbff9 1935872 debug extra
libgnutls28-dbg_3.3.11-1_i386.deb
854115918b386ff65870ad9be510282b 318700 net optional
gnutls-bin_3.3.11-1_i386.deb
0972adfef070f876e69d310aafb814fc 3639394 doc optional
gnutls-doc_3.3.11-1_all.deb
10e68099c4820c070e6dc48467e169c7 181432 lisp optional
guile-gnutls_3.3.11-1_i386.deb
296c511cbdc680440d1deedcefc0306e 15434 libs extra
libgnutlsxx28_3.3.11-1_i386.deb
a6f24fc3ea1d571c66ec34f3c13f58a0 148316 libs standard
libgnutls-openssl27_3.3.11-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUieDqAAoJEKVPAYVDghSEw/MP/0suZxSH7PTBwp3FfXXULhlL
FlgJ/62MT8E/I5kSElDoPUBXK4xDvaLA4Iaati6T3AUnNOMk6uymWC3e+u9WvNOB
u1wcfm6ZGNOk+PgkXtxBu5o2zJwAuvXB8Aas2RqI/9ucPCilmevFEJeZU5vfFrA4
isJZw7J+b9Td/uFy3v1KT1oenqFUK99Y0fUwHsveYT0buxPFaKUMdMMnrRYDMS26
ZJExlC7/OOK3EI/VMpEUJndqMZZabmxzDB3yX8qt7VxhYVpKj9SNodgftT6UCy9S
uWZgg9LkeSD36St0eC5Zr9w008hGPiVmjL0IiOb5U9hFhGlWb19W5UuKJHhJp0o/
dmR8NFSrPZeGCe4sacdpP7p/v3rVboIw/vlDj7NhH1h2FPDoP0H6PbY9YVA6oaRG
1ZBl7ZNZdqckDbcGDoZgb0cdWcdfnazBvRaUO+Kh7u6+VzIw3hXGIsR0exliuqD0
Z6M4YnoY2hNhnwIZkZE6j2z4L+xFtwUlphPdfFbmz8GAkHwvykod1m4iOVyDFZSO
FEU+kZjaynUyJjQVL+UEUeNG9/oJIeLL7zQkg4W/Xc7r7PrRVWGul9BLyrmsVEM6
oyLLWJ8gPKuHPIUrxLR9i47znMAu4poAXyuWhuKY4dm2OH2WfwxXcppfLWIMsNj/
Isqpi0Goh17NjcQbt2vV
=/6hE
-----END PGP SIGNATURE-----
--- End Message ---
