Bug 257995 - security/gnutls: Cannot connect to some websites
Summary: security/gnutls: Cannot connect to some websites
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Tijl Coosemans
URL: https://gitlab.com/gnutls/gnutls/-/me...
Keywords:
Depends on: 263154
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-22 15:43 UTC by Ting-Wei Lan
Modified: 2022-04-13 12:56 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (tijl)
koobs: merge-quarterly?


Attachments
Patch (2.54 KB, patch)
2021-08-22 15:43 UTC, Ting-Wei Lan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ting-Wei Lan 2021-08-22 15:43:20 UTC
Created attachment 227368 [details]
Patch

For example, Epiphany cannot connect to https://join.gov.tw/. It shows the certificate error page. gnutls-cli also fails and shows these error messages:

|<1>| Got OCSP response with an unrelated certificate.
- Status: The certificate is NOT trusted. The received OCSP status response is invalid. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

It turns out it is a GnuTLS bug which has been fixed in the upstream. If I apply the upstream patch, both Epiphany and gnutls-cli can connect to the site.

https://gitlab.com/gnutls/gnutls/-/issues/1062
https://gitlab.com/gnutls/gnutls/-/merge_requests/1308
Comment 1 commit-hook freebsd_committer freebsd_triage 2022-04-13 12:13:30 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a67a3f98ec28b607845ab6a33b2d2c5504f5b137

commit a67a3f98ec28b607845ab6a33b2d2c5504f5b137
Author:     Tijl Coosemans <tijl@FreeBSD.org>
AuthorDate: 2022-03-24 22:49:24 +0000
Commit:     Tijl Coosemans <tijl@FreeBSD.org>
CommitDate: 2022-04-13 12:11:59 +0000

    security/gnutls: update to 3.7.4

    Switch from security/ca_root_nss to base system certificate store.
    Disable obsolete TPM 1.2 support.

    PR:             257995, 260723, 263107, 263131
    Exp-run by:     antoine

 security/gnutls/Makefile                           | 30 +++++++---------
 security/gnutls/distinfo                           |  6 ++--
 .../files/patch-tests_cert-tests_pkcs12.sh (new)   | 14 ++++++++
 security/gnutls/pkg-plist                          | 40 +++++++++++++++++++---
 4 files changed, 66 insertions(+), 24 deletions(-)