[gnutls-help] Problem with OCSP status in gnutls-cli

Johannes Bauer dfnsonfsduifb at gmx.de
Wed Dec 13 12:07:46 CET 2017

Hi again, Nikos,

On 13.12.2017 11:38, Johannes Bauer wrote:

> The certificate that I pass to to gnutls-cli is that exact root
> certificate. So IMHO, gnuTLS should have all the required trust
> prerequisites to validate the certificate, shouldn't it? I will now also
> try to make the server send the root CA cert as well in its response and
> see if that changes the behavior.

Indeed it does!

When the server includes its root of trust in the CA certificate chain
send to the client, the gnuTLS client accepts the OCSP ticket as valid,
even thoght the client already has access to that certificate via its
trust store.

So, for now, this works as a workaround for me -- but I do think that is
unintended behavior on gnuTLS' side, isn't it?

Thanks for helping me with this,
Kind regards,

More information about the Gnutls-help mailing list