OCSP must staple issue with TLS1.3
[reported by mail by Björn Jacke of samba.org]
I see again something weird with gnutls and ocsp.
On imap.samba.org:993 we have a ocsp-must-staple enabled certificate, the server is haproxy/openssl from latest Debian buster with TLS 1.3 enabled.
The certificate is working nicely with the stapled ocsp response from the server with all kind of clients, except recent gnutls versions.
GnuTLS 3.5.18 for example works perfectly fine with:
echo QUIT | gnutls-cli --sni-hostname=imap.samba.org imap.samba.org:993
--verbose | less
The same test GnuTLS 3.6.7 from Debian Buster (on current Fedora also) fails with:
- Status: The certificate is NOT trusted. The certificate requires the
server to include an OCSP status in its response, but the OCSP status is
missing.
... which seems to be wrong though. There is a network sniff attached also but you can easily test against the host on your own also. Do you see what might be wrong here?