[gnutls-help] Problem with OCSP status in gnutls-cli

Johannes Bauer dfnsonfsduifb at gmx.de
Wed Dec 13 13:26:26 CET 2017


Hi Nikos,

On 13.12.2017 12:46, Nikos Mavrogiannopoulos wrote:

>> So, for now, this works as a workaround for me -- but I do think that is
>> unintended behavior on gnuTLS' side, isn't it?
> 
> I'm not sure. There is already a test for that (see
> tests/ocsp-tests/ocsp-tls-connection) and gnutls-cli seems to be able
> to connect. Could you help me by providing a reproducer to the issue?

Sure thing! I've created a blob, ocsp_reproducer.tar.gz (attached at
bottom), that contains all certificates and an OCSP response which I
crafted to be valid for a year. It relies on OpenSSL (possibly 1.1,
don't know when the -status_file option was added). Here's how it works:

$ ./start_server
[...]
~~~~~~~~~ NOT serving the status request ~~~~~~~~~
Using default temp DH parameters
ACCEPT

and then, in a separate terminal

$ ./connect_client
[...]
- Handshake was completed

But give "start_server" any argument and it'll serve OCSP:

$ ./start_server x
[...]
~~~~~~~~~ Serving OCSP status request ~~~~~~~~~
Using default temp DH parameters
ACCEPT

and then

$ ./connect_client
[...]
- Status: The certificate is NOT trusted. The received OCSP status
response is invalid.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

Let me know if there's anything else I can contribute. Thanks for
looking into this!

Kind regards,
Johannes

ocsp_reproducer.tar.gz:
------- BEGIN BASE64 -------
H4sIAGcaMVoAA+1ZW4gjWRnunps7BeqKwyLCQG3PwOqGTE7dclEaPCdVSVWnq5Kq
VCWpyG5vUqlUbl2VVCWpVLzOgD4oq4KwoLLuuAou7Jsuig/6qIKwDwou6ML6oi+C
IL4sCuJJ+jb2XNqVnh5l8xXhVP78p/7zn//85/9OxbOC4Y5vD32vNbFsP7H2EAAw
UgAsWirF/Vt7gDWKoSmWpjiKTa4BimY4bo3kHsZgjmMSjBs+Sa71PPuBeif9/n8K
71j8F99vtGz/NG0sApx8QPxZ5jD+LEtzOP4soJg1EpzmIO6Hd3n8wa31K8T62u1b
6+/Ft5cvXY5dWr948T1gff3CzX+Am2+Dm99++YkLV+Rnfv/iC+kX/vDX5z7y958+
/dWvPMZ89Ocfej+N40jRFIM/NODqIAAjIIHLly7G3nf+3Icvrl248mPq7Te/3v7R
d1576nevKOWvvfTyl785uvfTzj1uffCN3xhPSJ9+Vnzjrb9d87c+v3ZkAWSWFm5/
YClK32mUuPTY018UX9+8cP7ceWkN5M49ufbqPx+fP/Wtt27/Jf/HL7zywi+uirf+
/NLnLprpH37v+U/87PqzFlb59ff71de+Yd1809p88Usfu/rL7/721cTrV9o/+RV8
7vmrf/J/8KjjclY4nv+W57q2Nd6xBl3bHZ+OjZP2fwon+8H+DzgK5z9HJ8Eq/88C
155MNLtuotkIOmTcJq7hi3DcyXgQxPESIOPxGQcyVqPdHdibvueNb1j+GEuHHm4y
6VSSpOjUDYAvinjUrqzwX+B4/ge2P7X9G307Oj0bJ9V/Jkkd1n8O7wW4/jMpdpX/
Z4H4AkjISwpZ0qQK1AWyIJhLKSFLeRE6ApSRnEfRKF+W2Qz+ns9m9+9DQUR5EDZC
CUFVdSSnYI+ctBHrDEGGVceE4c5cO6oX0lv2MMealLgbyyW2u8liNOpoUMlCWJa5
0E4IwE8YZjml8OFQrM8o1wRgmi86hGm2252SXpeHSiuXadGBwVQKlJlRmtt+aiil
mOIsX/GtWYcf2eOgzNhqAjW9RoJYOiAo/N1OPeoJ/x/DXfmPs2G8s7cLnJaNk+p/
kmWPzn/L/OcAvcr/M8G96r83tN0gGJB4CXTbERm3OrbV3wmCnaDrkPEsXJAB8pAM
HNzc1e244n5puVN1sfrIuG8Hw65LHhw9yXg3CCa4PeIbY3s2Johum/wkuXGd2iA3
N8mNDfKZj5Pjju0Sl22r45Ebnz0AqRT1pbWu6yw0SBzi8SQgfXs0sYMxeai4QdiD
wL67f3m/bzFbLj2g82Wo5cubG/E9jZ2ltwdObBDt7qGbwX5CkfGGZdnDfeYUx/l2
56yQcVx1yaMCTF7/1MLAZx7qlnWf+o+Hc3o2Tqj/uNrTR+f/5PL8zwJ6lf9ngTvq
f1bQdCknZXG5PKj/UlbsZbPQKjtwUeMdSTVnpRqgjGq5NrPLSrudjpSo3IMF5Dij
Tr9XLKkqD3swkjU2JERo8hUs4FEl19odBJK4NW0yqmPSlaiVH+w2qkqnlTdmAg+L
yFEqCAYyYrawTPHqVRU/oGMpsm7N5J4QybqEWxhVlzJnIZsfynpwV9akUDgwCPtY
bk0IOcuG2z3hvhaqOtSRY+0PXUJHbsgIhUqWOIminMRQiPtRFI8VRVkSBRmGeUgZ
LSEUUCJUszKEoahiNzRQRMgUiNy22OXyk1q9YxgB36j5dqwSCP3GtldMyCi97CyF
qimjBswJVIvm6Gpxq+mkq9CL+WBE9FhWkiM3L8NgqcyHqoDDyY942FjMiagJgjCH
muPsTdrenOVFJKYhhAKOQrgcThvPTpjrQcNDBUeQzGJD1IDFe9Ntuj5tRlyvSYOw
4JhSITQRUg0RqoIg9qBFyMjDpBFbV40cmkPUcTivJWphsZuemru5aHtXmTb1Y4vI
USTIoxzsQobQ+7GEihw0Y1htWkqmzKGY604hbyYKFGqjfnJSM/jtMW2oUgcqsekY
RYoj82mfdSdMBdSIdrpapuZ8E8iRXDO0qVdjWsCMgiOieNfqf9SZeTY4vv8va+6p
nv7e6flv7/0vt3r/eyY4zfOfNjFKIQdFLTcvMozYIqJhwKS2BtEw6WQseqiZfmJe
79SSXS62f/7Tt/3GvDpKNvjOfBrk1HYoCIkqM3FBOSebxFzoWP3QSxW3tCpXGyiJ
0qjQEcc6FThDr8xqbU5uoLarF7v2rBpMQcxiFZDgmNX57z/FPfP/VNnfyfyPZu/4
/ye1n//cKv/PAifwPxQu+F9194D/aVCOVd1IGRaUnLhlFeu7GlXopowwu6j7Xl2a
98CCXISYndm47i+5DRaEFa1WHzazKGrSGSDllYHlasP67qBn1rSBrMGQd5bUbZuH
rQjLeo18pY8fwNZ4XWCWPE8XZjIvAbniYZkUHZMtLR43SLxTi3KuHwqhKe67gvmf
eugXD1WLVx0oREk6oEaTXYe1UilkiGmEStQ4NcwIHT0vz6TallwozrtGZVLhCL09
T3Y9LWVkmlKhIUyEWkzPOzUOzD03qPjbmZJb5FulWCuJGUuODfk9sqVDVUwgaIQE
XBDDOWwtqZrKCjlHNfQK03TrJjuY8DMz20tOy6NSz3HmBcsM99lab8nWPGgQD1LO
7imX8P6NGVcec0TvcHtHUM5CYEFCFtSslEVTxTRgUxeyPVZrtkfJdL2lh5OISiPd
heVqMl2me7zd7tGwi9iATZoymKHeOOUSHstPjISaMKtKg4kyXjHo2+0B32j688oE
bm6+61nYCiussMIKK5wt/gX6QubAACgAAA==
------- END BASE64 len 2089 MD5 01ca145c6faa7ed52f6ef3abc95fb4fe -------



More information about the Gnutls-help mailing list