[gnutls-devel] GnuTLS | TLS handshake fails between OpenSSL 3.6.0 and GnuTLS (#1746)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Oct 15 17:17:45 CEST 2025
Alicja Kario (@mention me if you need reply) commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823185375
Thank you!
OK, so it looks like the server is using OCSP stapling, but then it sends `status_request` extension for all the certificates in the chain, while including actual OCSP response only for the first one...
As we can read in
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.1
and then in
https://datatracker.ietf.org/doc/html/rfc6066#page-15
the `OCSPResponse` object MUST NOT be empty (it needs to have length
of at least 1:
```
opaque OCSPResponse<1..2^24-1>;
```
That means that the server is behaving incorrectly.
Could you share details how you configured OCSP stapling in it?
I wonder if it's a bug in OpenSSL or in nginx...
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1746#note_2823185375
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20251015/356a571b/attachment.html>
More information about the Gnutls-devel
mailing list