Created attachment 227368 [details] Patch For example, Epiphany cannot connect to https://join.gov.tw/. It shows the certificate error page. gnutls-cli also fails and shows these error messages: |<1>| Got OCSP response with an unrelated certificate. - Status: The certificate is NOT trusted. The received OCSP status response is invalid. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. It turns out it is a GnuTLS bug which has been fixed in the upstream. If I apply the upstream patch, both Epiphany and gnutls-cli can connect to the site. https://gitlab.com/gnutls/gnutls/-/issues/1062 https://gitlab.com/gnutls/gnutls/-/merge_requests/1308
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=a67a3f98ec28b607845ab6a33b2d2c5504f5b137 commit a67a3f98ec28b607845ab6a33b2d2c5504f5b137 Author: Tijl Coosemans <tijl@FreeBSD.org> AuthorDate: 2022-03-24 22:49:24 +0000 Commit: Tijl Coosemans <tijl@FreeBSD.org> CommitDate: 2022-04-13 12:11:59 +0000 security/gnutls: update to 3.7.4 Switch from security/ca_root_nss to base system certificate store. Disable obsolete TPM 1.2 support. PR: 257995, 260723, 263107, 263131 Exp-run by: antoine security/gnutls/Makefile | 30 +++++++--------- security/gnutls/distinfo | 6 ++-- .../files/patch-tests_cert-tests_pkcs12.sh (new) | 14 ++++++++ security/gnutls/pkg-plist | 40 +++++++++++++++++++--- 4 files changed, 66 insertions(+), 24 deletions(-)