[gnutls-devel] GnuTLS | Got OCSP response with an unrelated certificate, OCSP status response is invalid. (#1062)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Thu Aug 13 16:56:20 CEST 2020
Giovanni Biscuolo commented:
Hello,
Giovanni Biscuolo <gitlab at mg.gitlab.com> writes:
[...]
> ## Version of gnutls used:
>
> 3.6.7
>
> ## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
>
> GNU Guix
No sorry, I was wrong: the correct version used in Guix is 3.6.14
In my tests with gnutls-cli I was using the Debian installed version (I
use Guix on top of Debian)
I've tested with the binary packaged in Guix (3.6.14) and the error is
the same
> ## How reproducible:
>
> ``` shell
> user at host: gnutls-cli --save-ocsp /tmp/actorws-ocsp.der --save-cert /tmp/actorws-certs.pem actorws.epa.gov
>
> Processed 128 CA certificate(s).
> Resolving 'actorws.epa.gov:443'...
> Connecting to '134.67.99.60:443'...
> - Certificate type: X.509
> - Got a certificate list of 2 certificates.
> - Certificate[0] info:
> - subject `CN=*.epa.gov,OU=OMS/OITO/EHD,O=Environmental Protection Agency,L=Durham,ST=North Carolina,C=US', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x0caca7602da89b50c3820b33518c827a, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-25 00:00:00 UTC', expires `2021-04-19 12:00:00 UTC', pin-sha256="o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk="
> Public Key ID:
> sha1:884a27ada33cc533411036cde08f7c83bee2580e
> sha256:a39776b6463318d12800bcda3e901de6af928a66b63276db22d13ae02a720c29
> Public Key PIN:
> pin-sha256:o5d2tkYzGNEoALzaPpAd5q+Sima2MnbbItE64CpyDCk=
>
> - Certificate[1] info:
> - subject `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-03-08 12:00:00 UTC', expires `2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w="
> |<1>| Got OCSP response with an unrelated certificate.
> - Status: The certificate is NOT trusted. The received OCSP status response is invalid.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> [~]-
> ```
Best regards, Gio'
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1062#note_395603359
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200813/7bdc7d35/attachment.html>
More information about the Gnutls-devel
mailing list