Verified on zesty, old version 3.5.6-4ubuntu4.2 failed handshake, 3.5.6-4ubuntu4.3 succeeded:
Script started on Thu 07 Sep 2017 00:45:28 CEST + apt-get -q update [...] + apt-get -q -y install gnutls-bin ca-certificates Reading package lists... Building dependency tree... Reading state information... The following additional packages will be installed: libffi6 libgmp10 libgnutls30 libhogweed4 libidn11 libnettle6 libopts25 libp11-kit0 libssl1.0.0 libtasn1-6 openssl The following NEW packages will be installed: ca-certificates gnutls-bin libffi6 libgmp10 libgnutls30 libhogweed4 libidn11 libnettle6 libopts25 libp11-kit0 libssl1.0.0 libtasn1-6 openssl 0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded. Need to get 3326 kB of archives. After this operation, 9762 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu zesty/main amd64 libffi6 amd64 3.2.1-6 [17.7 kB] Get:2 http://archive.ubuntu.com/ubuntu zesty/main amd64 libgmp10 amd64 2:6.1.2+dfsg-1 [240 kB] Get:3 http://archive.ubuntu.com/ubuntu zesty/main amd64 libnettle6 amd64 3.3-1 [92.4 kB] Get:4 http://archive.ubuntu.com/ubuntu zesty/main amd64 libhogweed4 amd64 3.3-1 [135 kB] Get:5 http://archive.ubuntu.com/ubuntu zesty/main amd64 libidn11 amd64 1.33-1 [45.0 kB] Get:6 http://archive.ubuntu.com/ubuntu zesty/main amd64 libp11-kit0 amd64 0.23.3-5 [107 kB] Get:7 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libtasn1-6 amd64 4.10-1ubuntu0.1 [35.5 kB] Get:8 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libgnutls30 amd64 3.5.6-4ubuntu4.2 [627 kB] Get:9 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 libssl1.0.0 amd64 1.0.2g-1ubuntu11.2 [1081 kB] Get:10 http://archive.ubuntu.com/ubuntu zesty-updates/main amd64 openssl amd64 1.0.2g-1ubuntu11.2 [491 kB] Get:11 http://archive.ubuntu.com/ubuntu zesty/main amd64 ca-certificates all 20161130 [193 kB] Get:12 http://archive.ubuntu.com/ubuntu zesty/main amd64 libopts25 amd64 1:5.18.12-3 [57.0 kB] Get:13 http://archive.ubuntu.com/ubuntu zesty-updates/universe amd64 gnutls-bin amd64 3.5.6-4ubuntu4.2 [204 kB] Fetched 3326 kB in 2s (1539 kB/s) [...] + gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net Processed 173 CA certificate(s). Resolving 'tvemsnbc-vh.akamaihd.net:443'... Connecting to '95.101.77.25:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=Massachusetts,C=US', issuer `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', serial 0x0f683f2dfac9edf014148ca649db4bad, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2017-03-07 00:00:00 UTC', expires `2018-05-06 23:59:59 UTC', SHA-1 fingerprint `557c90a8d8953f3a2c2b59290a5ce12eafa60adf' Public Key ID: 8c08394d28e104af81d099d4d236eef424710a29 Public key's random art: +--[SECP256R1]----+ |==.B. | |E.O+* . | |o+==.= | | o o=..o | |. o.+. S | | . . | | | | | | | +-----------------+ - Certificate[1] info: - subject `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', issuer `CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US', serial 0x3f9287be9d1da4a37a9df6282e775ac4, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2015-05-12 00:00:00 UTC', expires `2025-05-11 23:59:59 UTC', SHA-1 fingerprint `fe3c41901f3659c6eddc0c1c2d85d0b20e649614' - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** handshake has failed: Error in the certificate. + echo 'deb http://archive.ubuntu.com/ubuntu/ zesty-proposed main' + apt-get -q update [...] + apt-get -q -y install libgnutls30/zesty-proposed Reading package lists... Building dependency tree... Reading state information... The following packages will be upgraded: libgnutls30 1 upgraded, 0 newly installed, 0 to remove and 3 not upgraded. Need to get 627 kB of archives. After this operation, 0 B of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 libgnutls30 amd64 3.5.6-4ubuntu4.3 [627 kB] Fetched 627 kB in 0s (1171 kB/s) [...] + gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net Processed 173 CA certificate(s). Resolving 'tvemsnbc-vh.akamaihd.net:443'... Connecting to '95.101.77.34:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=a248.e.akamai.net,O=Akamai Technologies\, Inc.,L=Cambridge,ST=Massachusetts,C=US', issuer `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', serial 0x0f683f2dfac9edf014148ca649db4bad, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2017-03-07 00:00:00 UTC', expires `2018-05-06 23:59:59 UTC', SHA-1 fingerprint `557c90a8d8953f3a2c2b59290a5ce12eafa60adf' Public Key ID: 8c08394d28e104af81d099d4d236eef424710a29 Public key's random art: +--[SECP256R1]----+ |==.B. | |E.O+* . | |o+==.= | | o o=..o | |. o.+. S | | . . | | | | | | | +-----------------+ - Certificate[1] info: - subject `CN=Symantec Class 3 ECC 256 bit SSL CA - G2,OU=Symantec Trust Network,O=Symantec Corporation,C=US', issuer `CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US', serial 0x3f9287be9d1da4a37a9df6282e775ac4, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2015-05-12 00:00:00 UTC', expires `2025-05-11 23:59:59 UTC', SHA-1 fingerprint `fe3c41901f3659c6eddc0c1c2d85d0b20e649614' - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) - Session ID: 2C:8E:64:DB:85:A0:AC:38:E7:B7:F0:98:0B:3B:1D:73:F2:C4:6D:95:E6:A9:1E:9D:99:4D:53:2A:45:6F:A6:7F - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-ECDSA - Server Signature: ECDSA-SHA256 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: OCSP status request, - Handshake was completed - Simple Client Mode: ^C Script done on Thu 07 Sep 2017 00:46:05 CEST ** Tags removed: verification-needed verification-needed-zesty ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1714506 Title: libgnutls30 OCSP verification bug To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1714506/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
