Hi, Leo Famulari <l...@famulari.name> skribis:
> For master, the naive approach of cherry-picking the patch [1] did not > work; the test 'system-prio-file' fails consistently with that change. I > could instead try grafting the updated version. These 3 GnuTLS commits appear to be related to this issue: --8<---------------cut here---------------start------------->8--- commit 8469db9dbcdd6ec22094a4f095201d80d981b9f0 Author: Nikos Mavrogiannopoulos <n...@gnutls.org> Date: Sun Aug 28 00:55:30 2016 +0200 tests: added basic operational check of gnutls_ocsp_resp_get_single() commit 8a0c9bbae25f75e30a913c6f4b29f468940398ca Author: Nikos Mavrogiannopoulos <n...@gnutls.org> Date: Sun Aug 28 00:40:49 2016 +0200 gnutls_ocsp_resp_get_single: reorganized function to eliminate memory leaks Simplified and optimized the function operation, by removing unecessary memory allocations, as well as eliminate memory leaks on certain error cases. commit 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Author: Nikos Mavrogiannopoulos <n...@gnutls.org> Date: Sat Aug 27 17:00:22 2016 +0200 ocsp: corrected the comparison of the serial size in OCSP response Previously the OCSP certificate check wouldn't verify the serial length and could succeed in cases it shouldn't. Reported by Stefan Buehler. --8<---------------cut here---------------end--------------->8--- If applying these patches on top of our current GnuTLS version (and then using it as a graft) works, we could do that. If not, using the later 3.5.x release should be OK (API- and ABI-compatible). Ludo’.