Bug#1105226: libgnutls30: gnutls OCSP failure when multiple OCSP responses

David Willis dawillis at gmail.com
Tue May 13 19:37:34 BST 2025 

Package: libgnutls30
Version: 3.7.9-2+deb12u4
Severity: important
X-Debbugs-Cc: dawillis at gmail.com

Hi,

I am encountering an issue when performing a git clone of a repository
hosted on a server using OCSP and that returns multiple OCSP responses.

Note that I have reproduced this using a bare metal installation of Debian
12.9 and 12.10 and from WSL2 installations of 12.9 and 12.10.

There is a documented defect in GnuTLS that indicated that it would fail
under the circumstance documented above.

This defect was fixed in GnuTLS 3.8.8 in commit:
https://github.com/gnutls/gnutls/commit/ae404fe8488dee424876b5963c00d7e041672415

testing and sid contain GnuTLS 3.8.9 at the time of this submission.

Without addressing this concern, the only available workaround is to
disable TLS verification during any http operation where the OCSP response
will contain multiple entries. This is not a secure workaround.

I am requesting that GnuTLS 3.8.8 or later from testing/sid be backported to
bookworm in order to resolve the issue without requiring users to disable
TLS verification.

Additional information may be available in a similar ticket submitted against
Ubuntu (https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2102115)

Thanks.

-- System Information:
Debian Release: 12.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.87.1-microsoft-standard-WSL2 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgnutls30 depends on:
ii  libc6          2.36-9+deb12u10
ii  libgmp10       2:6.2.1+dfsg1-1.1
ii  libhogweed6    3.8.1-2
ii  libidn2-0      2.3.3-1+b1
ii  libnettle8     3.8.1-2
ii  libp11-kit0    0.24.1-2
ii  libtasn1-6     4.19.0-2+deb12u1
ii  libunistring2  1.0-2

libgnutls30 recommends no packages.

Versions of packages libgnutls30 suggests:
pn  gnutls-bin  <none>

-- no debconf information

More information about the Pkg-gnutls-maint mailing list