[gnutls-help] Problem with OCSP status in gnutls-cli

[Johannes Bauer]

Hi Nikos,

On 13.12.2017 07:46, Nikos Mavrogiannopoulos wrote:

>> - Status: The certificate is NOT trusted. The received OCSP status
>> response is invalid.
> 
> What I can see from the code involved in the asserts above is that the
> signer of the OCSP response cannot be found either in the chain sent by
> the server, or in the trusted store.
> 
> The message "Got a certificate list of 1 certificates" further suggests
> that the server didn't include root.crt in its chain. Is that correct?

That is correct. The server only sends its server certificate, which is
directly signed by the self-signed root CA certificate.

The certificate that I pass to to gnutls-cli is that exact root
certificate. So IMHO, gnuTLS should have all the required trust
prerequisites to validate the certificate, shouldn't it? I will now also
try to make the server send the root CA cert as well in its response and
see if that changes the behavior.

Thanks for your assistance,
Kind regards,
Joe