Bug#772055: libgnutls-deb0-28:amd64: Certificate Status Request (OCSP stapling) check fails with mozilla.org

[Alessandro Ghedini]

Package: libgnutls-deb0-28
Version: 3.3.8-5
Severity: normal

Hi,

I've been playing with GnuTLS OCSP stapling support, but I noticed that it seems
to reject apparently valid responses (e.g. the mozilla.org one).

I attached a "simple" code example that connects to a server and checks the
stapled OCSP response using gnutls_ocsp_status_request_is_checked().

Compile with "cc ocsp.c -lgnutls" and run with "./a.out <host> <port>".

For example if I run it against mozilla.org, I get:

  % ./a.out mozilla.org 443
  Certificate check FAIL

but other hosts work fine:

  % ./a.out tn123.org 443
  Certificate check OK

and OpenSSL works fine with both.

Cheers

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgnutls-deb0-28:amd64 depends on:
ii  libc6              2.19-13
ii  libgmp10           2:6.0.0+dfsg-6
ii  libhogweed2        2.7.1-3
ii  libnettle4         2.7.1-3
ii  libp11-kit0        0.20.7-1
ii  libtasn1-6         4.2-2
ii  multiarch-support  2.19-13
ii  zlib1g             1:1.2.8.dfsg-2+b1

libgnutls-deb0-28:amd64 recommends no packages.

Versions of packages libgnutls-deb0-28:amd64 suggests:
ii  gnutls-bin  3.3.8-5

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ocsp.c
Type: text/x-c
Size: 2910 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20141204/f41e9889/attachment.bin>