[Bug 2102115] Re: gnutls ocsp failure

Ural Tunaboyu 2102115 at bugs.launchpad.net
Thu Jul 10 20:27:08 UTC 2025 

Ubuntu 24.10 (Oracular Oriole) has reached end of life, so this bug will
not be fixed for that specific release.

** Changed in: gnutls28 (Ubuntu Oracular)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2102115

Title:
  gnutls ocsp failure

Status in Gnutls:
  Fix Released
Status in gnutls28 package in Ubuntu:
  Fix Released
Status in gnutls28 source package in Noble:
  Confirmed
Status in gnutls28 source package in Oracular:
  Won't Fix
Status in gnutls28 source package in Plucky:
  Fix Released
Status in gnutls28 package in Debian:
  New

Bug description:
  This bug affects libgnutls30t64 in 24.04 and 24.10.  This package was
  not available in the list (only gnutls28 was).

  Any applications that use gnutls versions less than 3.8.8 for TLS fail
  to properly validate certificates using OCSP when the OCSP response
  contains multiple responses if the first response does not match the
  server presented certificate.

  This was fixed in gnutls in September 2024,
  https://github.com/gnutls/gnutls/commit/ae404fe8488dee424876b5963c00d7e041672415
  and released in gnutls 3.8.8.

  git in ubuntu is compiled against libcurl/gnutls instead of
  libcurl/openssl this creates a significant issue for users using
  Ubuntu with no alternative workaround besides compiling their own
  version of git, or disabling http verification.

  Can you please backport this change to 24.04 for LTS support?

  This bug exists (was tested in 24.04 and 24.10).

  When the bug is encountered, the user just gets a certification is not
  trusted error.  To identify the root cause, it required setting the
  environment GNUTLS_DEBUG_LEVEL=99, identifying the error "Got OCSP
  response with an unrelated certificate.".  Then we used `gnutls-cli
  --save-ocsp=ocsp.dat {website}` and `ocsptool -S ocsp.dat -j` to see
  the multiple responses and that the certificate serial number from
  `gnutls-cli` was shown in the `ocsptool` output, but not the first
  response.

  Failure to fix this bug will likely encourage user to disable http
  verification as the easier solution, which makes websites with OCSP
  responders that respond with multiple responses potentially vulnerable
  to targeted MITM attacks.

  Ideally, backporting 3.8.9, which you already have proposed for 25.04
  would be preferable, or patching your existing 3.8.3 with the OCSP
  commit which wouldn't trigger any ABI/API changes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gnutls/+bug/2102115/+subscriptions

More information about the foundations-bugs mailing list