[Bug 1714506] Re: libgnutls30 OCSP verification bug
Julian Andres Klode
julian.klode at gmail.com
Fri Sep 1 13:26:55 UTC 2017
** Description changed:
[Impact]
- * libgnutls30 fails some types of OSCP verification
-
- * everybodys doing it
-
- * https://gitlab.com/gnutls/gnutls/merge_requests/433/commits
+ Applications using GnuTLS fails to verify OSCP, especially when ECDSA is
+ involved, which becomes increasingly more popular.
[Test Case]
+ Run gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net it should succeed, but fails the handshake with certificate validation.
- * https://gitlab.com/gnutls/gnutls/issues/223
+ [Regression Potential]
+ Only OCSP code is affected by the fixes, so something could possibly break there.
- [Regression Potential]
+ [Other Info]
+ This was fixed in Debian stretch in 3.5.8-5+deb9u3:
- * everybody already did it, so small
-
- [Other Info]
-
- * https://anonscm.debian.org/cgit/pkg-gnutls/gnutls.git/commit/?h=gnutls28_09_stretch&id=aebb4e1b78758d6395e17a3137f2c67a2fb7a334
+ * https://anonscm.debian.org/cgit/pkg-
+ gnutls/gnutls.git/commit/?h=gnutls28_09_stretch&id=aebb4e1b78758d6395e17a3137f2c67a2fb7a334
** Description changed:
[Impact]
Applications using GnuTLS fails to verify OSCP, especially when ECDSA is
involved, which becomes increasingly more popular.
[Test Case]
- Run gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net it should succeed, but fails the handshake with certificate validation.
+ Run gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net - it should succeed, but fails the handshake with certificate validation.
[Regression Potential]
Only OCSP code is affected by the fixes, so something could possibly break there.
-
[Other Info]
This was fixed in Debian stretch in 3.5.8-5+deb9u3:
- * https://anonscm.debian.org/cgit/pkg-
+ https://anonscm.debian.org/cgit/pkg-
gnutls/gnutls.git/commit/?h=gnutls28_09_stretch&id=aebb4e1b78758d6395e17a3137f2c67a2fb7a334
** Description changed:
[Impact]
Applications using GnuTLS fails to verify OSCP, especially when ECDSA is
involved, which becomes increasingly more popular.
[Test Case]
- Run gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net - it should succeed, but fails the handshake with certificate validation.
+ Run "gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net" - it should succeed (hang once connected, basically), but fails the handshake with certificate validation.
[Regression Potential]
Only OCSP code is affected by the fixes, so something could possibly break there.
[Other Info]
This was fixed in Debian stretch in 3.5.8-5+deb9u3:
https://anonscm.debian.org/cgit/pkg-
gnutls/gnutls.git/commit/?h=gnutls28_09_stretch&id=aebb4e1b78758d6395e17a3137f2c67a2fb7a334
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1714506
Title:
libgnutls30 OCSP verification bug
Status in gnutls28 package in Ubuntu:
In Progress
Bug description:
[Impact]
Applications using GnuTLS fails to verify OSCP, especially when ECDSA
is involved, which becomes increasingly more popular.
[Test Case]
Run "gnutls-cli -p 443 tvemsnbc-vh.akamaihd.net" - it should succeed (hang once connected, basically), but fails the handshake with certificate validation.
[Regression Potential]
Only OCSP code is affected by the fixes, so something could possibly break there.
[Other Info]
This was fixed in Debian stretch in 3.5.8-5+deb9u3:
https://anonscm.debian.org/cgit/pkg-
gnutls/gnutls.git/commit/?h=gnutls28_09_stretch&id=aebb4e1b78758d6395e17a3137f2c67a2fb7a334
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1714506/+subscriptions
More information about the foundations-bugs
mailing list