Hi Nikos, On 13.12.2017 12:46, Nikos Mavrogiannopoulos wrote:
>> So, for now, this works as a workaround for me -- but I do think that is >> unintended behavior on gnuTLS' side, isn't it? > > I'm not sure. There is already a test for that (see > tests/ocsp-tests/ocsp-tls-connection) and gnutls-cli seems to be able > to connect. Could you help me by providing a reproducer to the issue? Sure thing! I've created a blob, ocsp_reproducer.tar.gz (attached at bottom), that contains all certificates and an OCSP response which I crafted to be valid for a year. It relies on OpenSSL (possibly 1.1, don't know when the -status_file option was added). Here's how it works: $ ./start_server [...] ~~~~~~~~~ NOT serving the status request ~~~~~~~~~ Using default temp DH parameters ACCEPT and then, in a separate terminal $ ./connect_client [...] - Handshake was completed But give "start_server" any argument and it'll serve OCSP: $ ./start_server x [...] ~~~~~~~~~ Serving OCSP status request ~~~~~~~~~ Using default temp DH parameters ACCEPT and then $ ./connect_client [...] - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate. Let me know if there's anything else I can contribute. Thanks for looking into this! Kind regards, Johannes ocsp_reproducer.tar.gz: ------- BEGIN BASE64 ------- H4sIAGcaMVoAA+1ZW4gjWRnunps7BeqKwyLCQG3PwOqGTE7dclEaPCdVSVWnq5Kq VCWpyG5vUqlUbl2VVCWpVLzOgD4oq4KwoLLuuAou7Jsuig/6qIKwDwou6ML6oi+C IL4sCuJJ+jb2XNqVnh5l8xXhVP78p/7zn//85/9OxbOC4Y5vD32vNbFsP7H2EAAw UgAsWirF/Vt7gDWKoSmWpjiKTa4BimY4bo3kHsZgjmMSjBs+Sa71PPuBeif9/n8K 71j8F99vtGz/NG0sApx8QPxZ5jD+LEtzOP4soJg1EpzmIO6Hd3n8wa31K8T62u1b 6+/Ft5cvXY5dWr948T1gff3CzX+Am2+Dm99++YkLV+Rnfv/iC+kX/vDX5z7y958+ /dWvPMZ89Ocfej+N40jRFIM/NODqIAAjIIHLly7G3nf+3Icvrl248mPq7Te/3v7R d1576nevKOWvvfTyl785uvfTzj1uffCN3xhPSJ9+Vnzjrb9d87c+v3ZkAWSWFm5/ YClK32mUuPTY018UX9+8cP7ceWkN5M49ufbqPx+fP/Wtt27/Jf/HL7zywi+uirf+ /NLnLprpH37v+U/87PqzFlb59ff71de+Yd1809p88Usfu/rL7/721cTrV9o/+RV8 7vmrf/J/8KjjclY4nv+W57q2Nd6xBl3bHZ+OjZP2fwon+8H+DzgK5z9HJ8Eq/88C 155MNLtuotkIOmTcJq7hi3DcyXgQxPESIOPxGQcyVqPdHdibvueNb1j+GEuHHm4y 6VSSpOjUDYAvinjUrqzwX+B4/ge2P7X9G307Oj0bJ9V/Jkkd1n8O7wW4/jMpdpX/ Z4H4AkjISwpZ0qQK1AWyIJhLKSFLeRE6ApSRnEfRKF+W2Qz+ns9m9+9DQUR5EDZC CUFVdSSnYI+ctBHrDEGGVceE4c5cO6oX0lv2MMealLgbyyW2u8liNOpoUMlCWJa5 0E4IwE8YZjml8OFQrM8o1wRgmi86hGm2252SXpeHSiuXadGBwVQKlJlRmtt+aiil mOIsX/GtWYcf2eOgzNhqAjW9RoJYOiAo/N1OPeoJ/x/DXfmPs2G8s7cLnJaNk+p/ kmWPzn/L/OcAvcr/M8G96r83tN0gGJB4CXTbERm3OrbV3wmCnaDrkPEsXJAB8pAM HNzc1e244n5puVN1sfrIuG8Hw65LHhw9yXg3CCa4PeIbY3s2Johum/wkuXGd2iA3 N8mNDfKZj5Pjju0Sl22r45Ebnz0AqRT1pbWu6yw0SBzi8SQgfXs0sYMxeai4QdiD wL67f3m/bzFbLj2g82Wo5cubG/E9jZ2ltwdObBDt7qGbwX5CkfGGZdnDfeYUx/l2 56yQcVx1yaMCTF7/1MLAZx7qlnWf+o+Hc3o2Tqj/uNrTR+f/5PL8zwJ6lf9ngTvq f1bQdCknZXG5PKj/UlbsZbPQKjtwUeMdSTVnpRqgjGq5NrPLSrudjpSo3IMF5Dij Tr9XLKkqD3swkjU2JERo8hUs4FEl19odBJK4NW0yqmPSlaiVH+w2qkqnlTdmAg+L yFEqCAYyYrawTPHqVRU/oGMpsm7N5J4QybqEWxhVlzJnIZsfynpwV9akUDgwCPtY bk0IOcuG2z3hvhaqOtSRY+0PXUJHbsgIhUqWOIminMRQiPtRFI8VRVkSBRmGeUgZ LSEUUCJUszKEoahiNzRQRMgUiNy22OXyk1q9YxgB36j5dqwSCP3GtldMyCi97CyF qimjBswJVIvm6Gpxq+mkq9CL+WBE9FhWkiM3L8NgqcyHqoDDyY942FjMiagJgjCH muPsTdrenOVFJKYhhAKOQrgcThvPTpjrQcNDBUeQzGJD1IDFe9Ntuj5tRlyvSYOw 4JhSITQRUg0RqoIg9qBFyMjDpBFbV40cmkPUcTivJWphsZuemru5aHtXmTb1Y4vI USTIoxzsQobQ+7GEihw0Y1htWkqmzKGY604hbyYKFGqjfnJSM/jtMW2oUgcqsekY RYoj82mfdSdMBdSIdrpapuZ8E8iRXDO0qVdjWsCMgiOieNfqf9SZeTY4vv8va+6p nv7e6flv7/0vt3r/eyY4zfOfNjFKIQdFLTcvMozYIqJhwKS2BtEw6WQseqiZfmJe 79SSXS62f/7Tt/3GvDpKNvjOfBrk1HYoCIkqM3FBOSebxFzoWP3QSxW3tCpXGyiJ 0qjQEcc6FThDr8xqbU5uoLarF7v2rBpMQcxiFZDgmNX57z/FPfP/VNnfyfyPZu/4 /ye1n//cKv/PAifwPxQu+F9194D/aVCOVd1IGRaUnLhlFeu7GlXopowwu6j7Xl2a 98CCXISYndm47i+5DRaEFa1WHzazKGrSGSDllYHlasP67qBn1rSBrMGQd5bUbZuH rQjLeo18pY8fwNZ4XWCWPE8XZjIvAbniYZkUHZMtLR43SLxTi3KuHwqhKe67gvmf eugXD1WLVx0oREk6oEaTXYe1UilkiGmEStQ4NcwIHT0vz6TallwozrtGZVLhCL09 T3Y9LWVkmlKhIUyEWkzPOzUOzD03qPjbmZJb5FulWCuJGUuODfk9sqVDVUwgaIQE XBDDOWwtqZrKCjlHNfQK03TrJjuY8DMz20tOy6NSz3HmBcsM99lab8nWPGgQD1LO 7imX8P6NGVcec0TvcHtHUM5CYEFCFtSslEVTxTRgUxeyPVZrtkfJdL2lh5OISiPd heVqMl2me7zd7tGwi9iATZoymKHeOOUSHstPjISaMKtKg4kyXjHo2+0B32j688oE bm6+61nYCiussMIKK5wt/gX6QubAACgAAA== ------- END BASE64 len 2089 MD5 01ca145c6faa7ed52f6ef3abc95fb4fe ------- _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
