Bug#759161: libgnutls-deb0-28: broken OCSP response parser with some CAs

[Alessandro Ghedini]

Package: libgnutls-deb0-28
Version: 3.3.6-2
Severity: normal

Hi,

I've been playing with gnutls OCSP support but I noticed that it fails to parse
many apparently valid OCSP responses.

E.g. using gnutls-cli with the --ocsp option:

    % gnutls-cli --ocsp facebook.com 443
    [...]
    importing response: ASN1 parser: Error in DER parsing.

I noticed that many of the rejected OCSP responses come from either digicert.com
or GlobalSign (e.g. other than facebook.com, try also cloudflare.com,
wikipedia.org, github.com, bitbucket.org, imgur.com, ...). Note that openssl
works with them just fine.

Other CAs work fine (e.g. try yahoo.com, namecheap.com, shipit.ubuntu.com, ...).

Cheers

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls-deb0-28 depends on:
ii  libc6              2.19-9
ii  libgmp10           2:6.0.0+dfsg-6
ii  libhogweed2        2.7.1-3
ii  libnettle4         2.7.1-3
ii  libp11-kit0        0.20.3-2
ii  libtasn1-6         4.1-1
ii  multiarch-support  2.19-9
ii  zlib1g             1:1.2.8.dfsg-2

libgnutls-deb0-28 recommends no packages.

Versions of packages libgnutls-deb0-28 suggests:
ii  gnutls-bin  3.3.6-2

-- no debconf information