[gnutls-help] Problem with OCSP status in gnutls-cli

Johannes Bauer dfnsonfsduifb at gmx.de
Tue Dec 12 13:21:25 CET 2017


Hi list,

I'm currently writing some software for pentesting. It includes an OCSP
and TLS server that both are based on OpenSSL. With Ubuntu 17.04, I
added some integration tests that featured the gnutls-cli TLS client.
Yesterday I updated to Ubuntu 17.10 and now the gnutls tests are broken;
gnuTLS rejects the OCSP responses from my server as invalid.

Let me stress that it is *very* possible that the fault is not gnuTLS,
but my software. However, OpenSSL doesn't show any issue with the OCSP
response and from the error message I'm getting from gnuTLS I find
myself unable to debug the root cause of this issue. Here's the
certificates first:

Root certificate:
-----BEGIN CERTIFICATE-----
MIIBwjCCAWmgAwIBAgIRAM+WnyNpKNFHJcOZmR1Ki7UwCgYIKoZIzj0EAwIwMjEe
MBwGA1UEAwwVRXZpbCByb290IGNlcnRpZmljYXRlMRAwDgYDVQQLDAdyYXRjaGVk
MB4XDTE3MTIxMTExMDI0MVoXDTIyMTIxMTExMDI0MVowMjEeMBwGA1UEAwwVRXZp
bCByb290IGNlcnRpZmljYXRlMRAwDgYDVQQLDAdyYXRjaGVkMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEy62s1qumg4c77BUH8BBP1t7p9EhTGMxIXJMKOziUVuV5
Tfz6ioR7U9bIKaEuEX+TGgX50zonsVrL9PnODdP+d6NgMF4wDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUTV3bnZY4luDxYCj6vSqPjggzKcYwHwYDVR0jBBgwFoAU
TV3bnZY4luDxYCj6vSqPjggzKcYwCwYDVR0PBAQDAgGGMAoGCCqGSM49BAMCA0cA
MEQCICBvNYUAbTECj4Rbfq68ZdTwuy18BTnASW68S2jDefj2AiB4s46YM0xBjt7n
o4DuU/Q/YWNa3y9oOskeflDabrzVuA==
-----END CERTIFICATE-----

Server certificate:
-----BEGIN CERTIFICATE-----
MIIBsjCCAVigAwIBAgIQI0huLc/BXgKkidK7C88FEjAKBggqhkjOPQQDAjAyMR4w
HAYDVQQDDBVFdmlsIHJvb3QgY2VydGlmaWNhdGUxEDAOBgNVBAsMB3JhdGNoZWQw
HhcNMTcxMjExMTIwOTI3WhcNMTgxMjEyMTIwOTI3WjAUMRIwEAYDVQQDDAkxMjcu
MC4wLjEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASM5we/E0r/UYS7NDwpHZx1
nY00vGOgYYffhPTZMpNdF9d2sU3VK1Y9NbLr7pI73OxGVrcxhDqetsS3eQ/Bboa/
o24wbDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSx4uRrl2YVFLA2l63vlbBJGi6D
vzAfBgNVHSMEGDAWgBRNXdudljiW4PFgKPq9Ko+OCDMpxjALBgNVHQ8EBAMCA6gw
DwYDVR0RBAgwBocEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAnnnc8Suuu3yEjVb6
IBbcTjyHSAMj0PJb7NkFp9afaYkCIH8F3OVr5lRwwOf/qLIV2/2r3DwSM6mFS3Hi
nYvCH2xs
-----END CERTIFICATE-----

OCSP response that's included in the ServerHello:
-----BEGIN OCSP RESPONSE-----
MIIBEgoBAKCCAQswggEHBgkrBgEFBQcwAQEEgfkwgfYwgZ6iFgQUTV3bnZY4luDx
YCj6vSqPjggzKcYYDzIwMTcxMjEyMTIwOTI3WjBzMHEwSTAJBgUrDgMCGgUABBS3
Mfjck2a2obQn2qhOU5CfoouacQQUTV3bnZY4luDxYCj6vSqPjggzKcYCECNIbi3P
wV4CpInSuwvPBRKAABgPMjAxNzEyMTIwOTA5MjdaoBEYDzIwMTcxMjI2MTIwOTI3
WjAKBggqhkjOPQQDAgNHADBEAiA2SYR4gyroYetUjezA5ZzwJZohOGjms4kBlYw3
Fzp2+AIgBmOh0xlwt6pSE/DRD2p0BtwEirdpb3QXgqirWeOMM1s=
-----END OCSP RESPONSE-----
(OCSP SHA256 of the DER is 36082255...)

Now, with OpenSSL, I can verify that OCSP response just fine:
$ openssl ocsp -respin ocsp.der -issuer root.crt -cert server.crt -text
OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: B731F8DC9366B6A1B427DAA84E53909FA28B9A71
          Issuer Key Hash: 4D5DDB9D963896E0F16028FABD2A8F8E083329C6
          Serial Number: 23486E2DCFC15E02A489D2BB0BCF0512
    Request Extensions:
        OCSP Nonce:
            0410E58C1C5EAE62DD5E2EDE854CF02EA157
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 4D5DDB9D963896E0F16028FABD2A8F8E083329C6
    Produced At: Dec 12 12:09:27 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: B731F8DC9366B6A1B427DAA84E53909FA28B9A71
      Issuer Key Hash: 4D5DDB9D963896E0F16028FABD2A8F8E083329C6
      Serial Number: 23486E2DCFC15E02A489D2BB0BCF0512
    Cert Status: good
    This Update: Dec 12 09:09:27 2017 GMT
    Next Update: Dec 26 12:09:27 2017 GMT

    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:36:49:84:78:83:2a:e8:61:eb:54:8d:ec:c0:e5:
         9c:f0:25:9a:21:38:68:e6:b3:89:01:95:8c:37:17:3a:76:f8:
         02:20:06:63:a1:d3:19:70:b7:aa:52:13:f0:d1:0f:6a:74:06:
         dc:04:8a:b7:69:6f:74:17:82:a8:ab:59:e3:8c:33:5b
WARNING: no nonce in response
Response verify OK
server.crt: good
	This Update: Dec 12 09:09:27 2017 GMT
	Next Update: Dec 26 12:09:27 2017 GMT

Also, the certificates look OK, at least OpenSSL thinks so:
$ openssl verify -check_ss_sig -CAfile root.crt root.crt
root.crt: OK
$ openssl verify -CAfile root.crt server.crt
server.crt: OK

However:
$ LD_LIBRARY_PATH="/home/joe/tmp/gnutls-3.6.1/lib/.libs"
/home/joe/tmp/gnutls-3.6.1/src/.libs/gnutls-cli --port=9999
--x509cafile=/home/joe/.config/ratched/root.crt 127.0.0.1
Processed 1 CA certificate(s).
Resolving '127.0.0.1:9999'...
Connecting to '127.0.0.1:9999'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=127.0.0.1', issuer `OU=ratched,CN=Evil root certificate',
serial 0x23486e2dcfc15e02a489d2bb0bcf0512, EC/ECDSA key 256 bits, signed
using ECDSA-SHA256, activated `2017-12-11 12:09:27 UTC', expires
`2018-12-12 12:09:27 UTC',
pin-sha256="a0SEAr7c1914pYZhUR9m1gvT+KMbx6/TY6gdWZ+JoXg="
	Public Key ID:
		sha1:fcfa19101266ef624aa968f13b30641038d03e32
		sha256:6b448402bedcd7dd78a58661511f66d60bd3f8a31bc7afd363a81d599f89a178
	Public Key PIN:
		pin-sha256:a0SEAr7c1914pYZhUR9m1gvT+KMbx6/TY6gdWZ+JoXg=

- Status: The certificate is NOT trusted. The received OCSP status
response is invalid.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

With more debugging:
|<4>| HSK[0x55a19fda5a00]: CERTIFICATE STATUS (22) was received. Length
283[283], frag offset 0, frag length: 283, sequence: 0
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=127.0.0.1', issuer `OU=ratched,CN=Evil root certificate',
serial 0x23486e2dcfc15e02a489d2bb0bcf0512, EC/ECDSA key 256 bits, signed
using ECDSA-SHA256, activated `2017-12-11 12:09:27 UTC', expires
`2018-12-12 12:09:27 UTC',
pin-sha256="a0SEAr7c1914pYZhUR9m1gvT+KMbx6/TY6gdWZ+JoXg="
	Public Key ID:
		sha1:fcfa19101266ef624aa968f13b30641038d03e32
		sha256:6b448402bedcd7dd78a58661511f66d60bd3f8a31bc7afd363a81d599f89a178
	Public Key PIN:
		pin-sha256:a0SEAr7c1914pYZhUR9m1gvT+KMbx6/TY6gdWZ+JoXg=

|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1558
|<3>| ASSERT: ocsp.c[find_signercert]:1913
|<3>| ASSERT: common.c[_gnutls_x509_der_encode]:864
|<3>| ASSERT: ocsp.c[find_signercert]:2008
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1558
|<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2269
|<3>| ASSERT: x509.c[check_ocsp_response]:153
|<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
- Status: The certificate is NOT trusted. The received OCSP status
response is invalid.
*** PKI verification of server certificate failed...
|<3>| ASSERT: handshake.c[run_verify_callback]:2345
|<3>| ASSERT: handshake.c[handshake_client]:2441
*** Fatal error: Error in the certificate.
|<5>| REC: Sending Alert[2|42] - Certificate is bad
|<5>| REC[0x55a19fda5a00]: Preparing Packet Alert(21) with length: 2 and
min pad: 0
|<9>| ENC[0x55a19fda5a00]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<5>| REC[0x55a19fda5a00]: Sent Packet[2] Alert(21) in epoch 0 and length: 7
*** handshake has failed: Error in the certificate.

However, ocsptool says:
$ ocsptool --load-signer=root.crt -e <ocsp.der
Verifying OCSP Response: Success.

I've this issue with Ubuntu 17.10 stock gnuTLS (3.5.8) but also compiled
3.6.1 -- both behave the save. Unfortunately I don't know the gnuTLS
version with which the issue didn't occur (included in Ubuntu 17.04).

If I can provide any more information, I happily would. Any help greatly
appreciated.
Cheers,
Joe



More information about the Gnutls-help mailing list