Fabre

#1105226 libgnutls30: gnutls OCSP failure when multiple OCSP responses #1105226

Package:: libgnutls30

Source:: libgnutls30

Description:: GNU TLS library - main runtime library

Submitter:: David Willis

Date:: 2026-03-09 13:17:02 UTC

Severity:: normal

Tags:

#1105226#5

Date:: 2025-05-13 18:37:34 UTC

From:

To:

Hi,

I am encountering an issue when performing a git clone of a repository
hosted on a server using OCSP and that returns multiple OCSP responses.

Note that I have reproduced this using a bare metal installation of Debian
12.9 and 12.10 and from WSL2 installations of 12.9 and 12.10.

There is a documented defect in GnuTLS that indicated that it would fail
under the circumstance documented above.

This defect was fixed in GnuTLS 3.8.8 in commit:
https://github.com/gnutls/gnutls/commit/ae404fe8488dee424876b5963c00d7e041672415

testing and sid contain GnuTLS 3.8.9 at the time of this submission.

Without addressing this concern, the only available workaround is to
disable TLS verification during any http operation where the OCSP response
will contain multiple entries. This is not a secure workaround.

I am requesting that GnuTLS 3.8.8 or later from testing/sid be backported to
bookworm in order to resolve the issue without requiring users to disable
TLS verification.

Additional information may be available in a similar ticket submitted against
Ubuntu (https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2102115)

Thanks.

#1105226 libgnutls30: gnutls OCSP failure when multiple OCSP responses #1105226

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)