[gnutls-devel] broken OCSP response parser with some CAs
Andreas Metzler
ametzler at bebt.de
Tue Sep 2 20:07:51 CEST 2014
Hello,
this is <https://bugs.debian.org/759161>. I have not much to add,
except for the fact that it still applies to 3.3.7.
----- Forwarded message from Alessandro Ghedini <ghedo at debian.org> -----
From: Alessandro Ghedini <ghedo at debian.org>
Subject: Bug#759161: libgnutls-deb0-28: broken OCSP response parser with some
CAs
Package: libgnutls-deb0-28
Version: 3.3.6-2
Severity: normal
Hi,
I've been playing with gnutls OCSP support but I noticed that it fails
to parse many apparently valid OCSP responses.
E.g. using gnutls-cli with the --ocsp option:
% gnutls-cli --ocsp facebook.com 443
[...]
importing response: ASN1 parser: Error in DER parsing.
I noticed that many of the rejected OCSP responses come from either
digicert.com or GlobalSign (e.g. other than facebook.com, try also
cloudflare.com, wikipedia.org, github.com, bitbucket.org, imgur.com,
...). Note that openssl works with them just fine.
Other CAs work fine (e.g. try yahoo.com, namecheap.com,
shipit.ubuntu.com, ...).
Cheers
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libgnutls-deb0-28 depends on:
ii libc6 2.19-9
ii libgmp10 2:6.0.0+dfsg-6
ii libhogweed2 2.7.1-3
ii libnettle4 2.7.1-3
ii libp11-kit0 0.20.3-2
ii libtasn1-6 4.1-1
ii multiarch-support 2.19-9
ii zlib1g 1:1.2.8.dfsg-2
libgnutls-deb0-28 recommends no packages.
Versions of packages libgnutls-deb0-28 suggests:
ii gnutls-bin 3.3.6-2
----- End forwarded message -----
More information about the Gnutls-devel
mailing list