On Wed, Dec 13, 2017 at 12:07 PM, Johannes Bauer <[email protected]> wrote: > Hi again, Nikos, > > On 13.12.2017 11:38, Johannes Bauer wrote: > >> The certificate that I pass to to gnutls-cli is that exact root >> certificate. So IMHO, gnuTLS should have all the required trust >> prerequisites to validate the certificate, shouldn't it? I will now also >> try to make the server send the root CA cert as well in its response and >> see if that changes the behavior. > > Indeed it does! > > When the server includes its root of trust in the CA certificate chain > send to the client, the gnuTLS client accepts the OCSP ticket as valid, > even thoght the client already has access to that certificate via its > trust store. > So, for now, this works as a workaround for me -- but I do think that is > unintended behavior on gnuTLS' side, isn't it?
I'm not sure. There is already a test for that (see tests/ocsp-tests/ocsp-tls-connection) and gnutls-cli seems to be able to connect. Could you help me by providing a reproducer to the issue? There may be something special in the certificates that you are using that are preventing the lookup of the OCSP response's CA. regards, Nikos _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
