[gnutls-devel] broken OCSP response parser with some CAs

Andreas Metzler ametzler at bebt.de
Tue Sep 2 20:07:51 CEST 2014


this is <https://bugs.debian.org/759161>. I have not much to add,
except for the fact that it still applies to 3.3.7.

----- Forwarded message from Alessandro Ghedini <ghedo at debian.org> -----
From: Alessandro Ghedini <ghedo at debian.org>
Subject: Bug#759161: libgnutls-deb0-28: broken OCSP response parser with some

Package: libgnutls-deb0-28
Version: 3.3.6-2
Severity: normal


I've been playing with gnutls OCSP support but I noticed that it fails
to parse many apparently valid OCSP responses.

E.g. using gnutls-cli with the --ocsp option:

    % gnutls-cli --ocsp facebook.com 443
    importing response: ASN1 parser: Error in DER parsing.

I noticed that many of the rejected OCSP responses come from either
digicert.com or GlobalSign (e.g. other than facebook.com, try also
cloudflare.com, wikipedia.org, github.com, bitbucket.org, imgur.com,
...). Note that openssl works with them just fine.

Other CAs work fine (e.g. try yahoo.com, namecheap.com,
shipit.ubuntu.com, ...).


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls-deb0-28 depends on:
ii  libc6              2.19-9
ii  libgmp10           2:6.0.0+dfsg-6
ii  libhogweed2        2.7.1-3
ii  libnettle4         2.7.1-3
ii  libp11-kit0        0.20.3-2
ii  libtasn1-6         4.1-1
ii  multiarch-support  2.19-9
ii  zlib1g             1:1.2.8.dfsg-2

libgnutls-deb0-28 recommends no packages.

Versions of packages libgnutls-deb0-28 suggests:
ii  gnutls-bin  3.3.6-2

----- End forwarded message -----

More information about the Gnutls-devel mailing list