[gnutls-devel] GnuTLS | OCSP must staple issue on incorrect list (#786)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Jun 8 09:23:18 CEST 2019
New Issue was created.
Issue 786: https://gitlab.com/gnutls/gnutls/issues/786
Author: Nikos Mavrogiannopoulos
Assignees:
When a server chain is received that contains:
```
1. [server cert] || [ocsp response]
2. [server cert]
3. [ca cert]
```
and the server cert has the extension that requires an OCSP response, then gnutls will fail to verify that chain.
The code that enforces it goes through the list of the certificates as sent by the server and enforces the flag. It fails at point (2) because the certificate is not accompanied by a corresponding response. Indeed the response was previously sent in step 1, so gnutls could have used it.
We could introduce some logic to handle it, though I am not sure whether the problem is significant enough to warrant additional complexity.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/786
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190608/0aea4902/attachment.html>
More information about the Gnutls-devel
mailing list