[gnutls-help] Problem with OCSP status in gnutls-cli

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Dec 13 12:46:31 CET 2017


On Wed, Dec 13, 2017 at 12:07 PM, Johannes Bauer <dfnsonfsduifb at gmx.de> wrote:
> Hi again, Nikos,
>
> On 13.12.2017 11:38, Johannes Bauer wrote:
>
>> The certificate that I pass to to gnutls-cli is that exact root
>> certificate. So IMHO, gnuTLS should have all the required trust
>> prerequisites to validate the certificate, shouldn't it? I will now also
>> try to make the server send the root CA cert as well in its response and
>> see if that changes the behavior.
>
> Indeed it does!
>
> When the server includes its root of trust in the CA certificate chain
> send to the client, the gnuTLS client accepts the OCSP ticket as valid,
> even thoght the client already has access to that certificate via its
> trust store.
> So, for now, this works as a workaround for me -- but I do think that is
> unintended behavior on gnuTLS' side, isn't it?

I'm not sure. There is already a test for that (see
tests/ocsp-tests/ocsp-tls-connection) and gnutls-cli seems to be able
to connect. Could you help me by providing a reproducer to the issue?
There may be something special in the certificates that you are using
that are preventing the lookup of the OCSP response's CA.

regards,
Nikos



More information about the Gnutls-help mailing list