[gnutls-devel] GnuTLS | Check all OCSP responses (#1372)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu May 19 21:19:16 CEST 2022 


Evan Ward created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1372



## Description of problem:

Currently gnutls-cli fails to verify the server certificate that openssl s_client does verify. Based on the openssl output the relevant OCSP response is the 19th out of 20 responses. In https://gitlab.com/gnutls/gnutls/-/blob/master/lib/cert-session.c#L284 it seems that gnutls only checks the first OCSP response. Gnutls output:

```
|<3>| ASSERT: ../../../lib/x509/ocsp.c[gnutls_ocsp_resp_check_crt]:1414
|<3>| ASSERT: ../../lib/cert-session.c[check_ocsp_response]:286
|<1>| Got OCSP response with an unrelated certificate.
|<3>| ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:98
|<3>| ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
|<3>| ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
- Status: The certificate is NOT trusted. The received OCSP status response is invalid. 
*** PKI verification of server certificate failed...
|<3>| ASSERT: ../../lib/handshake.c[_gnutls_run_verify_callback]:3000
|<3>| ASSERT: ../../lib/handshake.c[handshake_client]:3119
*** Fatal error: Error in the certificate.
```

The message "Got OCSP response with an unrelated certificate." is correct as 19 unrelated responses were received. That should not preclude verifying the one valid response.

## Version of gnutls used:

3.7.3

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Ubuntu

## How reproducible:

100% reproducible for the particular site.

Steps to Reproduce:

 * Find a server that includes OCSP responses for many unrelated certificates along with the correct response. Make sure the correct response is not first in the list. Say example.com
 * gnutls-cli example.com
 * observe failure to verify certs

## Actual results:

see description

## Expected results:

gnutls checks all OCSP responses before deciding the OCSP is invalid.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1372
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220519/4c069d25/attachment.html>

More information about the Gnutls-devel mailing list