[gnutls-devel] GnuTLS | Got OCSP response with an unrelated certificate, OCSP status response is invalid. (#1062)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Aug 13 11:59:53 CEST 2020 


Giovanni Biscuolo created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1062



## Description of problem:

Programs using GnuTLS - tested with curl - cannot access actorws.epa.gov

## Version of gnutls used:

3.6.7

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

GNU Guix

## How reproducible:

``` shell
user at host: gnutls-cli --save-ocsp /tmp/actorws-ocsp.der --save-cert /tmp/actorws-certs.pem actorws.epa.gov

Processed 128 CA certificate(s).
Resolving 'actorws.epa.gov:443'...
Connecting to '134.67.99.60:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
	Public Key ID:
		sha1:884a27ada33cc533411036cde08f7c83bee2580e
		sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
	Public Key PIN:
		pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=

- Certificate[1] info:
 - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
|<1>| Got OCSP response with an unrelated certificate.
- Status: The certificate is NOT trusted. The received OCSP status response is invalid. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
[~]-
 ```

Please see the attached files from the above mentioned command:

[actorws-ocsp.der](/uploads/c71b07d68b4a87acedc53b66dc1ccaf0/actorws-ocsp.der)

[actorws-certs.pem](/uploads/557a5033d59afc3dae1ec7d00b9d21cd/actorws-certs.pem)

## Expected results:

Using a web browser (tested with chromium and firefox) the certificate is valid: not sure if the browser behaviour is correct or not

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1062
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200813/636c52ec/attachment.html>

More information about the Gnutls-devel mailing list