GnuTLS 3.6.8 I'm testing $subject using a 3-layer cert chain, and stapled ocsp under TLS1.3 for which the middle item is non-valid. The client reports (using gnutls_ocsp_resp_print()) :-
20:23:20 18349 OCSP Response Information: 20:23:20 18349 Response Status: Successful 20:23:20 18349 Response Type: Basic OCSP Response 20:23:20 18349 Version: 1 20:23:20 18349 Responder ID: CN=clica CA rsa,O=example.com 20:23:20 18349 Produced At: Sun Nov 10 20:09:14 UTC 2019 20:23:20 18349 Responses: 20:23:20 18349 Certificate ID: 20:23:20 18349 Hash Algorithm: SHA256 20:23:20 18349 Issuer Name Hash: 5af082e51d62fe01fd706baebeb878db64e68f76e74a36f36d914297ddee24b8 20:23:20 18349 Issuer Key Hash: 333db14364b98e78a33dd8a4fae8d8378ea9b0f5fbca97b25685aa0d32116091 20:23:20 18349 Serial Number: 65 20:23:20 18349 Certificate Status: good 20:23:20 18349 This Update: Sun Nov 10 20:09:14 UTC 2019 20:23:20 18349 Next Update: Fri Nov 09 20:09:14 UTC 2029 20:23:20 18349 Certificate ID: 20:23:20 18349 Hash Algorithm: SHA256 20:23:20 18349 Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 20:23:20 18349 Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 20:23:20 18349 Serial Number: 42 20:23:20 18349 Certificate Status: revoked 20:23:20 18349 Revocation time: Mon Feb 01 14:27:09 UTC 2010 20:23:20 18349 This Update: Sun Nov 10 20:09:14 UTC 2019 20:23:20 18349 Next Update: Fri Nov 09 20:09:14 UTC 2029 20:23:20 18349 Certificate ID: 20:23:20 18349 Hash Algorithm: SHA256 20:23:20 18349 Issuer Name Hash: bfa7275a566efd4be2df82dbd9d1290d470186f6ff2acd8c16659f342ab56109 20:23:20 18349 Issuer Key Hash: 208f9d28c7c0bc914144dfa8c0be3d5b3bfcebb622c8a8dc27e865fc06ca0e12 20:23:20 18349 Certificate Status: good 20:23:20 18349 This Update: Sun Nov 10 20:09:14 UTC 2019 20:23:20 18349 Next Update: Fri Nov 09 20:09:14 UTC 2029 20:23:20 18349 Extensions: 20:23:20 18349 Signature Algorithm: RSA-SHA256 but gnutls_ocsp_status_request_is_checked(state->session, 0) returns nonzero (meaning "valid"). I'm not quite clear what level of validity is being described here. Should it be checking that the OCSP response indicates non-revoked certificates, for all cert-chain elements covered? Or is it only saying that the stapled information is well-constructed and signed (meaning that I should be taking more actions to validate the certs; if so, what)? -- Thanks, Jeremy _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
