tests: enhanced OCSP tests

* Run tests under TLS1.2 and TLS1.3
* Verify whether multiple OCSP responses are received in client
  side, under TLS1.3.
* Verify that OCSP status responses can be sent by
  client under TLS1.3
* Verify operation of gnutls_certificate_retrieve_function3
* Verify operation when multiple OCSP responses by file are set

Resolves #307
Resolves #291

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

14 files changed, 1990 insertions, 37 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index f69ef776ab..f3a88699a8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -26,6 +26,7 @@ SUBDIRS += suite
 endif
 
 EXTRA_DIST = suppressions.valgrind eagain-common.h cert-common.h test-chains.h \
+	ocsp-common.h \
 	certs/ca-cert-ecc.pem  certs/cert-ecc256.pem  certs/cert-ecc521.pem \
 	certs/cert-rsa-2432.pem certs/ecc384.pem certs/ecc.pem hex.h \
 	certs/ca-ecc.pem certs/cert-ecc384.pem certs/cert-ecc.pem certs/ecc256.pem \
@@ -101,6 +102,10 @@ ctests += tls13/key_update
 
 ctests += tls13/key_limits
 
+ctests += tls13/multi-ocsp
+
+ctests += tls13/ocsp-client
+
 ctests += mini-record-2 simple gc set_pkcs12_cred cert certuniqueid tls-neg-ext-key \
 	 mpi certificate_set_x509_crl dn parse_ca x509-dn x509-dn-decode record-sizes \
 	 hostname-check cve-2008-4989 pkcs12_s2k chainverify record-sizes-range \
@@ -132,7 +137,7 @@ ctests += mini-record-2 simple gc set_pkcs12_cred cert certuniqueid tls-neg-ext-
 	 tls-ext-register tls-supplemental mini-dtls0-9 duplicate-extensions \
 	 mini-record-retvals mini-server-name tls-etm x509-cert-callback \
 	 client-sign-md5-rep tls12-invalid-key-exchanges session-rdn-read \
-	 tls13-cert-key-exchange \
+	 tls13-cert-key-exchange x509-cert-callback-ocsp \
 	 server-sign-md5-rep privkey-keygen mini-tls-nonblock no-signal pkcs7-gen dtls-etm \
 	 x509sign-verify-rsa x509sign-verify-ecdsa mini-alignment oids atfork prf psk-file \
 	 status-request status-request-ok status-request-missing sign-verify-ext \
@@ -156,7 +161,8 @@ ctests += mini-record-2 simple gc set_pkcs12_cred cert certuniqueid tls-neg-ext-
 	 set_x509_key_file_ocsp client-fastopen rng-sigint srp rng-pthread \
 	 safe-renegotiation/srn0 safe-renegotiation/srn1 safe-renegotiation/srn2 \
 	 safe-renegotiation/srn3 safe-renegotiation/srn4 safe-renegotiation/srn5 \
-	 rsa-illegal-import set_x509_key_file_ocsp_multi set_key set_x509_key_file_ocsp_multi2 \
+	 rsa-illegal-import set_x509_ocsp_multi_invalid set_key set_x509_key_file_ocsp_multi2 \
+	 set_x509_ocsp_multi_unknown set_x509_ocsp_multi_pem \
 	 set_key_utf8 set_x509_key_utf8 insecure_key handshake-large-packet \
 	 client_dsa_key server_ecdsa_key tls-session-ext-register tls-session-supplemental \
 	 multi-alerts naked-alerts pkcs7-cat-parse set_known_dh_params_x509 \
diff --git a/tests/gnutls-cli-save-data.sh b/tests/gnutls-cli-save-data.sh
index 767453ea02..29a2c081b6 100755
--- a/tests/gnutls-cli-save-data.sh
+++ b/tests/gnutls-cli-save-data.sh
@@ -56,7 +56,7 @@ TMPFILE1=save-data1.$$.tmp
 TMPFILE2=save-data2.$$.tmp
 
 eval "${GETPORT}"
-launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} --ocsp-response=${OCSP1}
+launch_server $$ --echo --x509keyfile ${KEY1} --x509certfile ${CERT1} --ocsp-response=${OCSP1} --ignore-ocsp-response-errors -d 6
 PID=$!
 wait_server ${PID}
 
@@ -67,8 +67,13 @@ ${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --save-cert ${TMPFILE1} --save-ocsp
 kill ${PID}
 wait
 
-if ! test -f ${TMPFILE1} || ! test -f ${TMPFILE2};then
-	echo "Could not retrieve OCSP response or certificate"
+if ! test -f ${TMPFILE1};then
+	echo "Could not retrieve certificate"
+	exit 1
+fi
+
+if ! test -f ${TMPFILE2};then
+	echo "Could not retrieve OCSP response"
 	exit 1
 fi
 
diff --git a/tests/ocsp-common.h b/tests/ocsp-common.h
new file mode 100644
index 0000000000..81b3e43b16
--- /dev/null
+++ b/tests/ocsp-common.h
@@ -0,0 +1,578 @@
+/*
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef OCSP_COMMON_H
+#define OCSP_COMMON_H
+
+/* Date for responses to be valid */
+#define OCSP_RESP_DATE 1508329639
+
+/* ocsp response with unknown status for
+ * server_ca3_localhost6_cert. Signed with
+ * RSA-SHA256.
+ */
+static const char _ocsp_ca3_localhost6_unknown[] = {
+	0x30, 0x82, 0x02, 0x3A, 0x0A, 0x01, 0x00, 0xA0,
+	0x82, 0x02, 0x33, 0x30, 0x82, 0x02, 0x2F, 0x06,
+	0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
+	0x01, 0x01, 0x04, 0x82, 0x02, 0x20, 0x30, 0x82,
+	0x02, 0x1C, 0x30, 0x81, 0x85, 0xA1, 0x14, 0x30,
+	0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+	0x04, 0x03, 0x13, 0x07, 0x73, 0x75, 0x62, 0x43,
+	0x41, 0x2D, 0x33, 0x18, 0x0F, 0x32, 0x30, 0x31,
+	0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32, 0x32,
+	0x30, 0x34, 0x39, 0x5A, 0x30, 0x5C, 0x30, 0x5A,
+	0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E,
+	0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0xB2,
+	0xE6, 0x5C, 0x8E, 0x6E, 0x83, 0x4B, 0xBD, 0x11,
+	0xD9, 0x97, 0xFA, 0x36, 0x93, 0x59, 0x9E, 0xAD,
+	0x5C, 0x15, 0xC4, 0x04, 0x14, 0x9E, 0x91, 0xEC,
+	0x8C, 0xAA, 0x24, 0x5B, 0x22, 0xE0, 0xE8, 0x11,
+	0xE8, 0xE9, 0xA4, 0x91, 0xB5, 0x91, 0x26, 0x00,
+	0xF1, 0x02, 0x0C, 0x57, 0xA3, 0x1D, 0x32, 0x37,
+	0x64, 0x58, 0xFA, 0x7B, 0x52, 0x6F, 0xD7, 0x82,
+	0x00, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31,
+	0x30, 0x31, 0x38, 0x31, 0x32, 0x32, 0x30, 0x34,
+	0x39, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+	0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
+	0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x98, 0x3C,
+	0xFF, 0xD1, 0x76, 0x93, 0xB0, 0xDD, 0x42, 0xCA,
+	0x8C, 0x7D, 0x4F, 0x9F, 0xE7, 0x78, 0x14, 0x1D,
+	0x90, 0x25, 0x67, 0x34, 0x51, 0x3C, 0xF6, 0x10,
+	0x7E, 0xB9, 0x8C, 0x19, 0xF4, 0x9A, 0x32, 0x6A,
+	0xFD, 0x5B, 0x77, 0xE9, 0x0A, 0xB2, 0xCD, 0x31,
+	0x5E, 0x0F, 0x5B, 0x11, 0xA7, 0x75, 0x38, 0x7B,
+	0x01, 0xFA, 0x2B, 0x68, 0x2C, 0x14, 0x6F, 0xAF,
+	0x90, 0xC9, 0x69, 0x67, 0x13, 0x70, 0x78, 0x51,
+	0x44, 0x0B, 0xA6, 0x16, 0x84, 0x6B, 0x09, 0xC3,
+	0x27, 0xFF, 0x06, 0x25, 0x90, 0x27, 0x08, 0x87,
+	0x23, 0xCB, 0x1A, 0x56, 0x61, 0x9E, 0x28, 0x9C,
+	0x42, 0x19, 0xEA, 0x93, 0x7C, 0x05, 0x14, 0x04,
+	0x7F, 0xC7, 0x1C, 0x40, 0xDD, 0x35, 0xC6, 0x50,
+	0x79, 0x46, 0xD7, 0x6A, 0xB1, 0x59, 0xAF, 0xC6,
+	0xDA, 0x0C, 0xD2, 0x1B, 0xAC, 0x3B, 0x46, 0x09,
+	0x0E, 0x7B, 0x02, 0xC3, 0x01, 0x55, 0x5E, 0xE9,
+	0x4F, 0x10, 0x58, 0x16, 0xB8, 0x54, 0xA8, 0x54,
+	0xBB, 0x31, 0xEB, 0x99, 0x64, 0x73, 0xEE, 0x3F,
+	0x44, 0xCE, 0xBB, 0xF9, 0x0A, 0xDB, 0x36, 0x90,
+	0x51, 0x80, 0xAA, 0xE1, 0x6F, 0xC3, 0x00, 0x13,
+	0x65, 0x80, 0x36, 0x3A, 0x63, 0x48, 0x05, 0x52,
+	0x7F, 0x91, 0x96, 0xB0, 0x7F, 0x53, 0xFC, 0x5D,
+	0x87, 0x0C, 0x6E, 0x5C, 0xAC, 0x0A, 0x45, 0x22,
+	0x83, 0x72, 0xC0, 0xAF, 0x5E, 0xDB, 0x5C, 0xE4,
+	0xA9, 0x80, 0x16, 0x43, 0xAB, 0x55, 0x72, 0x9B,
+	0x37, 0x41, 0xBB, 0xEF, 0x20, 0x45, 0xD5, 0xCB,
+	0xF8, 0xCE, 0xA9, 0x50, 0x12, 0x79, 0xAC, 0x6E,
+	0xC0, 0x79, 0xA4, 0x74, 0x1C, 0xF8, 0x48, 0xD4,
+	0xFC, 0xDC, 0xBB, 0xDA, 0x36, 0x72, 0x46, 0x05,
+	0x32, 0x97, 0x4C, 0x6B, 0xA4, 0x3C, 0xA0, 0x0E,
+	0xB7, 0xAC, 0x49, 0xA4, 0x52, 0xF0, 0xAC, 0xD5,
+	0x8D, 0x86, 0x07, 0xDB, 0xC3, 0x67, 0xE4, 0x95,
+	0x62, 0x52, 0x33, 0x33, 0x2D, 0x00, 0x49, 0x23,
+	0xCC, 0x12, 0x62, 0xFB, 0x89, 0x27, 0xD5, 0x27,
+	0xCB, 0x75, 0xC4, 0xCB, 0x60, 0x17, 0xFD, 0x4E,
+	0x7A, 0x2A, 0xD7, 0x0B, 0x09, 0x84, 0x03, 0x20,
+	0x38, 0x53, 0x73, 0x71, 0x66, 0xFC, 0x64, 0x9C,
+	0x6E, 0x1A, 0x1E, 0xC5, 0x5E, 0x0C, 0xAD, 0x9D,
+	0xE3, 0x37, 0xF2, 0xC2, 0xFC, 0xA1, 0x31, 0x26,
+	0x2C, 0xA1, 0xDF, 0x05, 0x19, 0xD6, 0x18, 0xE8,
+	0x25, 0x7C, 0x23, 0x23, 0xDE, 0x89, 0x6F, 0x5E,
+	0x98, 0xE8, 0xB6, 0xB2, 0x25, 0x28, 0x30, 0x12,
+	0x19, 0xB1, 0x84, 0x95, 0x8F, 0x8F, 0x65, 0x75,
+	0x2D, 0x90, 0xA8, 0x8D, 0xD9, 0xC3, 0x40, 0x79,
+	0xC8, 0xC8, 0xA1, 0xDC, 0xD0, 0x16, 0x02, 0xFE,
+	0x60, 0xBE, 0xA3, 0x58, 0xA2, 0xC4, 0xBA, 0xE5,
+	0x86, 0x4F, 0xF3, 0x2F, 0x46, 0xB9, 0x62, 0x2F,
+	0xCD, 0xE4, 0x1A, 0x62, 0x83, 0x76
+};
+
+const char _ocsp_ca3_localhost6_unknown_pem[] =
+	"-----BEGIN OCSP RESPONSE-----\n"
+	"MIICOgoBAKCCAjMwggIvBgkrBgEFBQcwAQEEggIgMIICHDCBhaEUMBIxEDAOBgNV\n"
+	"BAMTB3N1YkNBLTMYDzIwMTcxMDE4MTIyMDQ5WjBcMFowRTAJBgUrDgMCGgUABBSy\n"
+	"5lyOboNLvRHZl/o2k1merVwVxAQUnpHsjKokWyLg6BHo6aSRtZEmAPECDFejHTI3\n"
+	"ZFj6e1Jv14IAGA8yMDE3MTAxODEyMjA0OVowDQYJKoZIhvcNAQELBQADggGBAJg8\n"
+	"/9F2k7DdQsqMfU+f53gUHZAlZzRRPPYQfrmMGfSaMmr9W3fpCrLNMV4PWxGndTh7\n"
+	"AforaCwUb6+QyWlnE3B4UUQLphaEawnDJ/8GJZAnCIcjyxpWYZ4onEIZ6pN8BRQE\n"
+	"f8ccQN01xlB5RtdqsVmvxtoM0husO0YJDnsCwwFVXulPEFgWuFSoVLsx65lkc+4/\n"
+	"RM67+QrbNpBRgKrhb8MAE2WANjpjSAVSf5GWsH9T/F2HDG5crApFIoNywK9e21zk\n"
+	"qYAWQ6tVcps3QbvvIEXVy/jOqVASeaxuwHmkdBz4SNT83LvaNnJGBTKXTGukPKAO\n"
+	"t6xJpFLwrNWNhgfbw2fklWJSMzMtAEkjzBJi+4kn1SfLdcTLYBf9Tnoq1wsJhAMg\n"
+	"OFNzcWb8ZJxuGh7FXgytneM38sL8oTEmLKHfBRnWGOglfCMj3olvXpjotrIlKDAS\n"
+	"GbGElY+PZXUtkKiN2cNAecjIodzQFgL+YL6jWKLEuuWGT/MvRrliL83kGmKDdg==\n"
+	"-----END OCSP RESPONSE-----";
+
+static gnutls_datum_t ocsp_ca3_localhost6_unknown = {
+	(void *)_ocsp_ca3_localhost6_unknown,
+	    sizeof(_ocsp_ca3_localhost6_unknown)
+};
+
+static gnutls_datum_t ocsp_ca3_localhost6_unknown_pem = {
+	(void *)_ocsp_ca3_localhost6_unknown_pem,
+	    sizeof(_ocsp_ca3_localhost6_unknown_pem)-1
+};
+
+/* ocsp response with unknown status for
+ * server_ca3_localhost_cert. Signed with
+ * RSA-SHA512.
+ */
+static const char _ocsp_ca3_localhost_unknown[] = {
+	0x30, 0x82, 0x06, 0x53, 0x0A, 0x01, 0x00, 0xA0,
+	0x82, 0x06, 0x4C, 0x30, 0x82, 0x06, 0x48, 0x06,
+	0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
+	0x01, 0x01, 0x04, 0x82, 0x06, 0x39, 0x30, 0x82,
+	0x06, 0x35, 0x30, 0x81, 0x85, 0xA1, 0x14, 0x30,
+	0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+	0x04, 0x03, 0x13, 0x07, 0x73, 0x75, 0x62, 0x43,
+	0x41, 0x2D, 0x33, 0x18, 0x0F, 0x32, 0x30, 0x31,
+	0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32, 0x30,
+	0x39, 0x33, 0x30, 0x5A, 0x30, 0x5C, 0x30, 0x5A,
+	0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E,
+	0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0xB2,
+	0xE6, 0x5C, 0x8E, 0x6E, 0x83, 0x4B, 0xBD, 0x11,
+	0xD9, 0x97, 0xFA, 0x36, 0x93, 0x59, 0x9E, 0xAD,
+	0x5C, 0x15, 0xC4, 0x04, 0x14, 0x9E, 0x91, 0xEC,
+	0x8C, 0xAA, 0x24, 0x5B, 0x22, 0xE0, 0xE8, 0x11,
+	0xE8, 0xE9, 0xA4, 0x91, 0xB5, 0x91, 0x26, 0x00,
+	0xF1, 0x02, 0x0C, 0x57, 0xA3, 0x1D, 0x32, 0x36,
+	0xC8, 0x0C, 0xA1, 0xCA, 0xB0, 0xBD, 0xF6, 0x82,
+	0x00, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31,
+	0x30, 0x31, 0x38, 0x31, 0x32, 0x30, 0x39, 0x33,
+	0x30, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+	0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D, 0x05,
+	0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x56, 0x64,
+	0x2B, 0x10, 0xAA, 0xE7, 0x26, 0x7F, 0xF1, 0x7F,
+	0x86, 0x97, 0x0E, 0x18, 0xB4, 0x75, 0x92, 0x65,
+	0x12, 0x2B, 0x46, 0x9F, 0x3E, 0x96, 0x98, 0xE4,
+	0xAB, 0x10, 0xD1, 0x0E, 0xEA, 0x08, 0xE2, 0xA5,
+	0x01, 0x75, 0xA4, 0x5B, 0x76, 0xAC, 0x49, 0x2B,
+	0x9E, 0xF1, 0x4A, 0xF2, 0x79, 0x3A, 0x4E, 0x15,
+	0x81, 0xFF, 0x4D, 0xD3, 0x65, 0x8E, 0xAE, 0x4A,
+	0xBB, 0x33, 0x35, 0x8B, 0x0F, 0xB6, 0x5D, 0x32,
+	0xEF, 0xF5, 0xE1, 0x25, 0xBF, 0xBD, 0x52, 0x1D,
+	0x99, 0xF2, 0x34, 0xE0, 0xFB, 0x38, 0x34, 0x6C,
+	0x9A, 0xEF, 0x53, 0xB2, 0x90, 0xC6, 0xFB, 0x75,
+	0xA0, 0x8C, 0xBC, 0x6B, 0x8E, 0xD8, 0xDE, 0x33,
+	0xE4, 0x6F, 0xF2, 0xAD, 0xF2, 0xA2, 0x4F, 0xC2,
+	0x58, 0x47, 0xE2, 0x68, 0x6D, 0x3A, 0x3A, 0xB3,
+	0x0A, 0x82, 0x3D, 0xA4, 0x85, 0x00, 0x58, 0x3E,
+	0x00, 0x35, 0x9D, 0x6B, 0x1F, 0xFF, 0x9F, 0xAE,
+	0xB0, 0x9A, 0xE2, 0xC7, 0x0E, 0x9A, 0xB3, 0x7C,
+	0x52, 0xE9, 0xDA, 0x50, 0x57, 0x35, 0x72, 0x71,
+	0x81, 0xA7, 0xC0, 0x40, 0x28, 0xEA, 0x2B, 0xCE,
+	0x09, 0x47, 0x1D, 0xB1, 0x80, 0x41, 0x59, 0xF6,
+	0x5D, 0xD3, 0x3C, 0xEA, 0x11, 0xD8, 0x13, 0xB9,
+	0x0F, 0x32, 0x6A, 0x29, 0x72, 0xBE, 0xC1, 0xC3,
+	0x1B, 0xB5, 0x4C, 0x4D, 0x0D, 0xA1, 0xD5, 0xF0,
+	0xC4, 0xEC, 0xC5, 0x5A, 0x93, 0x41, 0x7A, 0x01,
+	0x24, 0xB3, 0x7A, 0x71, 0x82, 0xA3, 0xC6, 0x08,
+	0x42, 0x91, 0x0E, 0x6B, 0xE7, 0x86, 0x0B, 0xAF,
+	0xBE, 0xDF, 0x07, 0x5A, 0x8C, 0x35, 0xF8, 0x5F,
+	0x7F, 0x2F, 0x60, 0x04, 0xDD, 0x2A, 0xF2, 0x0D,
+	0xC0, 0x1C, 0x6F, 0xA0, 0x30, 0x80, 0xA4, 0x35,
+	0x83, 0xD3, 0xC3, 0xCC, 0x35, 0x46, 0x36, 0xEB,
+	0xE9, 0xB1, 0x3C, 0x08, 0x8F, 0xCC, 0x5D, 0xCA,
+	0xD9, 0xAF, 0x3E, 0xD4, 0x58, 0xBB, 0x90, 0x5D,
+	0xEF, 0x01, 0x9C, 0xD9, 0x3E, 0x56, 0x7E, 0xCF,
+	0x13, 0xAA, 0x11, 0xC4, 0x22, 0xD2, 0xA0, 0x9F,
+	0x1B, 0xE9, 0xF0, 0x78, 0x70, 0x3B, 0xCC, 0x21,
+	0x7D, 0x6B, 0x46, 0x97, 0x3F, 0x3B, 0x0C, 0x5B,
+	0x8F, 0xA8, 0x28, 0x72, 0x4A, 0x41, 0x4D, 0xE6,
+	0xDD, 0x2E, 0xBD, 0xF1, 0xA4, 0x1E, 0xA2, 0xA2,
+	0x94, 0x6E, 0xAD, 0x33, 0xC2, 0x56, 0xD3, 0x29,
+	0xCF, 0x75, 0x5E, 0x35, 0x59, 0xEB, 0x07, 0x78,
+	0x23, 0x0B, 0x20, 0x4E, 0xEB, 0x61, 0x2B, 0x46,
+	0x77, 0x0A, 0x9F, 0xA4, 0x57, 0xA8, 0x45, 0x45,
+	0x6E, 0x8F, 0xB4, 0xD5, 0x9C, 0xFC, 0x84, 0x78,
+	0xC3, 0x82, 0xD9, 0xB6, 0xA7, 0xD5, 0x76, 0xE0,
+	0x23, 0x09, 0x2B, 0x9A, 0x7C, 0x7C, 0xB5, 0x6D,
+	0x84, 0x9D, 0x1F, 0x47, 0x0C, 0x9C, 0xD6, 0x86,
+	0x2B, 0xDD, 0xF4, 0xFA, 0x97, 0xE7, 0x72, 0xE7,
+	0x42, 0x52, 0x74, 0xE8, 0x4D, 0x01, 0xA0, 0x82,
+	0x04, 0x15, 0x30, 0x82, 0x04, 0x11, 0x30, 0x82,
+	0x04, 0x0D, 0x30, 0x82, 0x02, 0x75, 0xA0, 0x03,
+	0x02, 0x01, 0x02, 0x02, 0x0C, 0x57, 0xA3, 0x1D,
+	0x32, 0x35, 0xB3, 0x4F, 0xD0, 0xB9, 0xF5, 0xE7,
+	0x3C, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48,
+	0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00,
+	0x30, 0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03,
+	0x55, 0x04, 0x03, 0x13, 0x04, 0x43, 0x41, 0x2D,
+	0x33, 0x30, 0x20, 0x17, 0x0D, 0x31, 0x36, 0x30,
+	0x35, 0x31, 0x30, 0x30, 0x38, 0x34, 0x38, 0x33,
+	0x30, 0x5A, 0x18, 0x0F, 0x39, 0x39, 0x39, 0x39,
+	0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39,
+	0x35, 0x39, 0x5A, 0x30, 0x12, 0x31, 0x10, 0x30,
+	0x0E, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x07,
+	0x73, 0x75, 0x62, 0x43, 0x41, 0x2D, 0x33, 0x30,
+	0x82, 0x01, 0xA2, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+	0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+	0x05, 0x00, 0x03, 0x82, 0x01, 0x8F, 0x00, 0x30,
+	0x82, 0x01, 0x8A, 0x02, 0x82, 0x01, 0x81, 0x00,
+	0xA0, 0x39, 0xC3, 0x57, 0xCD, 0x2B, 0x4E, 0x9D,
+	0x11, 0x68, 0x8B, 0x4E, 0x5A, 0x31, 0x12, 0xDE,
+	0x30, 0x1E, 0x39, 0x5F, 0x86, 0xB6, 0xB2, 0xB4,
+	0x81, 0xBA, 0x5D, 0xD4, 0x2F, 0x10, 0xD2, 0x1A,
+	0x32, 0x0F, 0xD0, 0x41, 0x25, 0xFF, 0xF5, 0xF6,
+	0x58, 0xB8, 0xA8, 0xA5, 0xEF, 0xF1, 0x34, 0xBF,
+	0x1B, 0x3C, 0x24, 0x69, 0x23, 0x5B, 0x12, 0x55,
+	0x79, 0x7C, 0x1D, 0xBD, 0x5C, 0x2B, 0x7A, 0x96,
+	0x34, 0x66, 0xB3, 0x56, 0x60, 0xBB, 0xC5, 0x6D,
+	0x3B, 0x37, 0x12, 0xF6, 0xE8, 0x8F, 0x3A, 0x7B,
+	0x7F, 0xC1, 0x55, 0x19, 0xEA, 0xF2, 0x2A, 0x15,
+	0xB6, 0xF3, 0xD0, 0xC0, 0x4A, 0x6F, 0xB8, 0x8F,
+	0x05, 0xF7, 0xBC, 0x75, 0xBC, 0xBF, 0xE7, 0xF9,
+	0xC7, 0xDC, 0x76, 0x43, 0x7B, 0xEC, 0xD4, 0x9C,
+	0xAF, 0x90, 0xBD, 0x8C, 0x73, 0x15, 0x8A, 0x84,
+	0x6F, 0x0B, 0xEA, 0x8A, 0xCF, 0xD6, 0xD4, 0x07,
+	0x1E, 0x43, 0x4B, 0x24, 0x95, 0xEB, 0xA3, 0xD1,
+	0xE7, 0xEC, 0x06, 0xB0, 0x90, 0xEF, 0x91, 0xFB,
+	0x26, 0x8D, 0x53, 0xA0, 0xAA, 0x24, 0xE5, 0x49,
+	0x64, 0x12, 0xE4, 0x6D, 0xE7, 0x30, 0xCA, 0xB4,
+	0x46, 0x2C, 0x6C, 0x73, 0x97, 0x4F, 0xE5, 0x6C,
+	0xA0, 0x91, 0xB7, 0x61, 0xF7, 0xEE, 0x39, 0x50,
+	0x2B, 0x4E, 0x6D, 0xC9, 0xC7, 0x00, 0x12, 0x6B,
+	0x3F, 0xE1, 0xAD, 0x2E, 0x21, 0xB4, 0x00, 0xE5,
+	0x31, 0xEA, 0x83, 0xF3, 0x3E, 0xD7, 0x99, 0x2F,
+	0x5D, 0xDE, 0xAD, 0x65, 0xE0, 0xEF, 0x36, 0x2E,
+	0xB1, 0x36, 0xAB, 0x8F, 0xDA, 0xD3, 0x71, 0xDB,
+	0x20, 0x47, 0xF2, 0x26, 0xD6, 0x62, 0x33, 0x98,
+	0x3D, 0xA2, 0xEC, 0x68, 0x49, 0xA3, 0x81, 0xA3,
+	0xD1, 0x29, 0x37, 0x46, 0xAF, 0x77, 0x27, 0x27,
+	0x80, 0xF8, 0x0C, 0xB9, 0x50, 0xF9, 0xAA, 0x72,
+	0x6F, 0x9D, 0xA9, 0x7D, 0x34, 0x6F, 0x8F, 0x4C,
+	0x4D, 0x3B, 0xF8, 0x1A, 0xD3, 0xB9, 0xDE, 0x42,
+	0xD0, 0x48, 0x25, 0xD8, 0x14, 0x9F, 0x7A, 0x8D,
+	0xC3, 0x22, 0x5C, 0xCC, 0xC1, 0x14, 0x90, 0xF5,
+	0x44, 0xEB, 0x1D, 0x93, 0x85, 0x94, 0x79, 0xDF,
+	0xED, 0x24, 0xC1, 0xDF, 0x7E, 0xDB, 0x43, 0xCF,
+	0xD8, 0xF7, 0x59, 0xCB, 0x97, 0xF4, 0xCD, 0xA7,
+	0xCD, 0x34, 0xF6, 0xC6, 0x56, 0xAE, 0xA2, 0x48,
+	0xDB, 0x10, 0x08, 0x51, 0x0D, 0x1C, 0x39, 0x7F,
+	0x10, 0x85, 0x66, 0x1E, 0xD3, 0x6E, 0x66, 0x87,
+	0xE2, 0xFC, 0xAC, 0x0C, 0xEF, 0x54, 0x65, 0x75,
+	0x44, 0x5D, 0x22, 0xCA, 0xA2, 0x74, 0x36, 0x2E,
+	0x6C, 0xAC, 0xA3, 0x8F, 0x2C, 0xFC, 0x6D, 0xF4,
+	0x56, 0x69, 0x52, 0x8E, 0xD3, 0xED, 0x26, 0xA4,
+	0x6C, 0xBF, 0xFA, 0x0F, 0xA4, 0x23, 0xBF, 0x73,
+	0x40, 0xFA, 0x06, 0xB9, 0x07, 0x57, 0x9E, 0x41,
+	0xE3, 0xCC, 0x5F, 0x9B, 0x22, 0x05, 0x8E, 0x01,
+	0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x64, 0x30,
+	0x62, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13,
+	0x01, 0x01, 0xFF, 0x04, 0x05, 0x30, 0x03, 0x01,
+	0x01, 0xFF, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D,
+	0x0F, 0x01, 0x01, 0xFF, 0x04, 0x05, 0x03, 0x03,
+	0x07, 0x06, 0x00, 0x30, 0x1D, 0x06, 0x03, 0x55,
+	0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x2D, 0x33,
+	0x04, 0x1B, 0x27, 0x7F, 0x94, 0x04, 0x7C, 0xC7,
+	0xE3, 0x35, 0x4F, 0xE9, 0x25, 0xA4, 0x94, 0xE1,
+	0xB7, 0xA1, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D,
+	0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xF9,
+	0xA8, 0x86, 0x19, 0x63, 0xB6, 0xA4, 0x14, 0x13,
+	0x60, 0x76, 0x0F, 0x01, 0x9A, 0x35, 0x36, 0xEF,
+	0xF1, 0xB4, 0xAF, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+	0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B,
+	0x05, 0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x32,
+	0x28, 0xB9, 0x1B, 0x1D, 0xFF, 0x77, 0xFE, 0x7C,
+	0xA0, 0x34, 0x72, 0xE5, 0xAD, 0x28, 0x3E, 0xF4,
+	0x21, 0x91, 0x4D, 0x1D, 0x29, 0xAE, 0xB5, 0x35,
+	0xF8, 0xE3, 0x3B, 0x3F, 0x6E, 0xAB, 0x13, 0x52,
+	0x8A, 0x52, 0xC9, 0x13, 0xB8, 0xC6, 0x24, 0xF6,
+	0x86, 0xDA, 0xD2, 0xAD, 0x0B, 0xF5, 0xD4, 0xD5,
+	0x86, 0xEA, 0x97, 0x6B, 0x6A, 0x41, 0x8E, 0xBC,
+	0x92, 0x88, 0x23, 0x2A, 0xCD, 0xF5, 0x40, 0x2E,
+	0x91, 0x16, 0x4A, 0x19, 0x00, 0x5A, 0x2E, 0x4C,
+	0x9B, 0x75, 0xD6, 0x4C, 0xDB, 0x81, 0x55, 0x8A,
+	0x7B, 0x00, 0xA4, 0xDF, 0xF3, 0xAB, 0x03, 0x4F,
+	0xD9, 0x91, 0x1A, 0xC0, 0x7C, 0x4D, 0x0F, 0x99,
+	0xAF, 0xCD, 0x21, 0x34, 0x70, 0x4C, 0x79, 0x93,
+	0xB1, 0x03, 0x9D, 0xBF, 0xF6, 0xF3, 0x47, 0xEC,
+	0x48, 0x3E, 0x18, 0xCA, 0xC4, 0xAA, 0xCA, 0xC8,
+	0x91, 0x4C, 0x1B, 0x9C, 0x5B, 0xF9, 0x0D, 0x0E,
+	0x29, 0x26, 0xDD, 0xF2, 0x40, 0xE9, 0x81, 0x85,
+	0x8A, 0xA1, 0xBE, 0x71, 0xDA, 0x3B, 0x0D, 0x62,
+	0x01, 0x03, 0xA7, 0xC9, 0xD8, 0x49, 0x14, 0xF8,
+	0xE5, 0x21, 0xB0, 0xED, 0xCE, 0xC5, 0x72, 0xE9,
+	0xA4, 0x5F, 0x3D, 0xA7, 0x03, 0xAA, 0xF9, 0x37,
+	0x06, 0xE7, 0x84, 0x42, 0xEF, 0x34, 0x52, 0xBC,
+	0x7F, 0x3B, 0x18, 0xF9, 0x02, 0x4A, 0x1D, 0xA0,
+	0x25, 0x27, 0xD0, 0x9C, 0x96, 0x58, 0x8F, 0xD4,
+	0xF8, 0xA2, 0x01, 0xC9, 0x76, 0x2D, 0x0A, 0x36,
+	0x81, 0xAC, 0xA0, 0x58, 0xD8, 0x83, 0xFA, 0x08,
+	0x27, 0xAB, 0x3C, 0xBB, 0x9E, 0xA6, 0xA6, 0xF6,
+	0xB8, 0x9E, 0x38, 0xE3, 0x07, 0x96, 0xCD, 0x64,
+	0x28, 0x50, 0x05, 0xAD, 0x6C, 0xB6, 0x83, 0xF7,
+	0x01, 0x85, 0x37, 0xD2, 0xFB, 0xFE, 0xD2, 0x86,
+	0x97, 0xB1, 0xEC, 0xD2, 0xB6, 0x18, 0x08, 0xAE,
+	0x8E, 0x05, 0x15, 0xD1, 0x36, 0x47, 0x13, 0x21,
+	0x19, 0xB7, 0xAB, 0xA6, 0xE2, 0x02, 0xD2, 0xF6,
+	0xFC, 0x14, 0x2A, 0xCF, 0xD1, 0xE1, 0x74, 0xBD,
+	0x54, 0xBF, 0xDB, 0x06, 0x57, 0xC0, 0xCB, 0x68,
+	0x40, 0x55, 0x37, 0x94, 0x7A, 0x38, 0x91, 0x04,
+	0x67, 0x93, 0x26, 0x4A, 0x81, 0xBB, 0xBF, 0x9C,
+	0xE0, 0x57, 0x6B, 0x08, 0x1C, 0x95, 0x85, 0xA7,
+	0x90, 0x01, 0x23, 0x18, 0xBB, 0xF9, 0x60, 0x6B,
+	0xC7, 0x9A, 0x18, 0xBD, 0x73, 0x25, 0xB2, 0x5E,
+	0xD8, 0x14, 0x16, 0x23, 0xBE, 0x78, 0x28, 0x36,
+	0x03, 0x4F, 0xDA, 0x8A, 0x36, 0xA1, 0xA5, 0x83,
+	0x2B, 0x2B, 0xE0, 0x05, 0x63, 0x7B, 0xBC, 0xF5,
+	0x63, 0x53, 0x10, 0xEF, 0x64, 0xA7, 0x7E, 0xBC,
+	0xD8, 0x49, 0x0C, 0x3A, 0x04, 0x1F, 0x39, 0x0A,
+	0xEA, 0xC1, 0xEA, 0x2A, 0x2E, 0xDD, 0x0F, 0x9E,
+	0x33, 0x8A, 0x38, 0x83, 0xFF, 0xB1, 0x18, 0x4B,
+	0x83, 0xA3, 0x43, 0x5E, 0xFF, 0xC8, 0xAB
+};
+
+const char _ocsp_ca3_localhost_unknown_pem[] =
+	"-----BEGIN OCSP RESPONSE-----\n"
+	"MIICNwoBAKCCAjAwggIsBgkrBgEFBQcwAQEEggIdMIICGTCBgqERMA8xDTALBgNV\n"
+	"BAMTBENBLTMYDzIwMTcxMDE4MTIzODUyWjBcMFowRTAJBgUrDgMCGgUABBS3yg+r\n"
+	"3G+4sJZ6FayYCg8Z/qQS3gQUHoXtf55x+gidN0hDoBLv5arh44oCDFejHTI1s0/Q\n"
+	"ufXnPIIAGA8yMDE3MTAxODEyMzg1MlowDQYJKoZIhvcNAQELBQADggGBALMParB9\n"
+	"K97DlT4FmMdPScoT7oAAsar4XxKLU9+oraht7H+WTAYSpnCxh/ugR17G0jtzTzIw\n"
+	"nLQFAyR9MDYKp4Om4YqQ7r+43DiIqKVU25WcrVifUbtkR+LbjH+Bk1UHvFE8mCOX\n"
+	"ZB+cmQyjGap1RX0dnj2Wm48vUwqp71nA8AYcXL575xZ4rb9DDhaoV2h3S0Zlu4IN\n"
+	"btuDIVsxJ53kqkGjjVB4/R0RtqCXOI2ThMK3SfDWqwzF9tYA763VVXi+g+w3oyv4\n"
+	"ZtP8QUWOVUY4azpElX1wqoO8znUjxs1AzROLUeLPK8GMLVIZLP361J2kLgcj0Gdq\n"
+	"GIVH5N54p6bl5OgSUP3EdKbFRZyCVZ2n8Der3Cf9PtfvGV7Ze4Cv/CCN6rJkk54P\n"
+	"6auP6pEJg0ESGC5fop5HFCyVM+W/ot0A1cxN0+cHYlqB1NQholLqe3psDjJ2EoIK\n"
+	"LtN5dRLO6z5L74CwwiJ1SeLh8XyJtr/ee9RnFB56XCzO7lyhbHPx/VT6Qw==\n"
+	"-----END OCSP RESPONSE-----";
+
+static gnutls_datum_t ocsp_ca3_localhost_unknown = {
+	(void *)_ocsp_ca3_localhost_unknown, sizeof(_ocsp_ca3_localhost_unknown)
+};
+
+static gnutls_datum_t ocsp_ca3_localhost_unknown_pem = {
+	(void *)_ocsp_ca3_localhost_unknown_pem, sizeof(_ocsp_ca3_localhost_unknown_pem)
+};
+
+
+/* ocsp response with unknown status for
+ * server_ca3_localhost_cert. Signed with
+ * RSA-SHA1.
+ */
+static const char _ocsp_ca3_localhost_unknown_sha1[] = {
+	0x30, 0x82, 0x02, 0x3A, 0x0A, 0x01, 0x00, 0xA0,
+	0x82, 0x02, 0x33, 0x30, 0x82, 0x02, 0x2F, 0x06,
+	0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
+	0x01, 0x01, 0x04, 0x82, 0x02, 0x20, 0x30, 0x82,
+	0x02, 0x1C, 0x30, 0x81, 0x85, 0xA1, 0x14, 0x30,
+	0x12, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55,
+	0x04, 0x03, 0x13, 0x07, 0x73, 0x75, 0x62, 0x43,
+	0x41, 0x2D, 0x33, 0x18, 0x0F, 0x32, 0x30, 0x31,
+	0x37, 0x31, 0x30, 0x31, 0x38, 0x31, 0x32, 0x32,
+	0x32, 0x30, 0x36, 0x5A, 0x30, 0x5C, 0x30, 0x5A,
+	0x30, 0x45, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E,
+	0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14, 0xB2,
+	0xE6, 0x5C, 0x8E, 0x6E, 0x83, 0x4B, 0xBD, 0x11,
+	0xD9, 0x97, 0xFA, 0x36, 0x93, 0x59, 0x9E, 0xAD,
+	0x5C, 0x15, 0xC4, 0x04, 0x14, 0x9E, 0x91, 0xEC,
+	0x8C, 0xAA, 0x24, 0x5B, 0x22, 0xE0, 0xE8, 0x11,
+	0xE8, 0xE9, 0xA4, 0x91, 0xB5, 0x91, 0x26, 0x00,
+	0xF1, 0x02, 0x0C, 0x57, 0xA3, 0x1D, 0x32, 0x36,
+	0xC8, 0x0C, 0xA1, 0xCA, 0xB0, 0xBD, 0xF6, 0x82,
+	0x00, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31,
+	0x30, 0x31, 0x38, 0x31, 0x32, 0x32, 0x32, 0x30,
+	0x36, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+	0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05, 0x05,
+	0x00, 0x03, 0x82, 0x01, 0x81, 0x00, 0x29, 0x91,
+	0xFA, 0x87, 0x8F, 0x4D, 0xC2, 0x25, 0x67, 0x4F,
+	0x2A, 0x39, 0xF9, 0xDA, 0x05, 0x4A, 0x8E, 0xBC,
+	0x72, 0xB7, 0x8B, 0xF1, 0x6C, 0x77, 0x5E, 0x2F,
+	0x0F, 0xA4, 0xEC, 0x7F, 0xD6, 0x63, 0xEA, 0x39,
+	0x17, 0x6F, 0xAA, 0x4B, 0x86, 0x46, 0x0E, 0xB2,
+	0xE1, 0x65, 0x1C, 0xEC, 0x97, 0x05, 0x00, 0x4D,
+	0xAC, 0xBA, 0xA5, 0xD4, 0x1B, 0xB8, 0x4A, 0x05,
+	0x94, 0x6C, 0xC9, 0xE1, 0x41, 0x5B, 0x44, 0x4F,
+	0x39, 0x9C, 0xF7, 0xAF, 0x04, 0x31, 0x1A, 0x5B,
+	0xF8, 0x5E, 0x42, 0xDA, 0xEA, 0xFF, 0x25, 0x67,
+	0x75, 0x3E, 0x46, 0xC4, 0x7D, 0x31, 0x74, 0xBD,
+	0x19, 0xFF, 0x11, 0x7F, 0x21, 0x39, 0x4D, 0xE3,
+	0x07, 0x2F, 0xF4, 0xF5, 0x6B, 0xE7, 0x10, 0xF8,
+	0x6C, 0x57, 0x7B, 0x83, 0x84, 0xCD, 0x3D, 0x61,
+	0xFD, 0x91, 0x87, 0x03, 0x03, 0xDD, 0x7A, 0x60,
+	0xF9, 0x1D, 0x82, 0xE9, 0xD9, 0x4B, 0xC9, 0xF2,
+	0x6F, 0xE5, 0x09, 0xCC, 0xEC, 0x63, 0xD7, 0xC1,
+	0xED, 0x54, 0x6D, 0x03, 0xC8, 0xC5, 0x92, 0xBC,
+	0x22, 0x11, 0xCD, 0x3A, 0x2E, 0x51, 0xCD, 0x5F,
+	0xA5, 0xB5, 0xA3, 0x5C, 0x8D, 0x54, 0x92, 0x85,
+	0x6B, 0x92, 0x2A, 0x23, 0x5E, 0xFB, 0x35, 0xFB,
+	0x23, 0xDA, 0x17, 0x16, 0x6D, 0xB2, 0xFB, 0xD8,
+	0x8D, 0x43, 0x9F, 0x36, 0xE9, 0x5E, 0xA2, 0xCB,
+	0xA5, 0x2D, 0xAE, 0xDD, 0x63, 0xFC, 0x53, 0x90,
+	0xB5, 0x54, 0x82, 0x7C, 0xBD, 0x08, 0xD7, 0x4E,
+	0xEA, 0x11, 0x84, 0x3C, 0x5B, 0x63, 0x06, 0xA5,
+	0x2C, 0x8B, 0x09, 0x13, 0xC7, 0x04, 0x5F, 0xAF,
+	0x73, 0xB1, 0x89, 0x40, 0x12, 0xEA, 0x9C, 0x56,
+	0xC6, 0x08, 0x39, 0xD4, 0xAA, 0x1F, 0xAF, 0x74,
+	0x78, 0xCC, 0x84, 0xC2, 0x8A, 0xE8, 0x0B, 0xCD,
+	0xD3, 0x2D, 0xCD, 0x98, 0x2E, 0x8D, 0xAB, 0x59,
+	0xFC, 0xCF, 0x4C, 0x1A, 0x30, 0xED, 0x8E, 0x3F,
+	0xF8, 0xC7, 0xBD, 0xE3, 0x64, 0x94, 0x0C, 0xFC,
+	0x24, 0x85, 0x35, 0x0A, 0x0E, 0x65, 0xA7, 0x2C,
+	0x0B, 0x80, 0xB9, 0xB0, 0x97, 0xA5, 0x70, 0xE0,
+	0x12, 0x86, 0x69, 0x74, 0x22, 0xEA, 0xE3, 0x11,
+	0x4B, 0x34, 0xB1, 0xFB, 0x24, 0xEE, 0x00, 0x73,
+	0x71, 0x33, 0x74, 0x62, 0x64, 0x10, 0xDD, 0x5A,
+	0x3A, 0x10, 0xA3, 0x8E, 0x36, 0x03, 0x0D, 0x17,
+	0xE3, 0x72, 0x29, 0xAE, 0x5A, 0xBD, 0x2E, 0xE0,
+	0xFD, 0xB1, 0xDF, 0x8F, 0x2C, 0x24, 0xCF, 0xB9,
+	0x10, 0x99, 0x68, 0xA2, 0x55, 0x01, 0x1E, 0xFB,
+	0x9B, 0x14, 0x4C, 0x1E, 0xB4, 0x59, 0x79, 0xB7,
+	0x8F, 0x07, 0x28, 0x3E, 0xB4, 0x2E, 0x8F, 0x91,
+	0x51, 0xFD, 0x8F, 0x12, 0x8D, 0xC6, 0x57, 0x7B,
+	0x87, 0xEF, 0x9C, 0x8B, 0x90, 0xD3, 0xA5, 0xB0,
+	0xBE, 0x4B, 0xFA, 0x33, 0x54, 0x87, 0x81, 0xCF,
+	0x96, 0x9A, 0xD3, 0xDC, 0xA9, 0xB6
+};
+
+static gnutls_datum_t ocsp_ca3_localhost_unknown_sha1 = {
+	(void *)_ocsp_ca3_localhost_unknown_sha1,
+	    sizeof(_ocsp_ca3_localhost_unknown_sha1)
+};
+
+/* ocsp response with unknown status for
+ * subca3_cert_pem. Signed with
+ * RSA-SHA256.
+ */
+static const char _ocsp_subca3_unknown[] = {
+	0x30, 0x82, 0x02, 0x37, 0x0A, 0x01, 0x00, 0xA0,
+	0x82, 0x02, 0x30, 0x30, 0x82, 0x02, 0x2C, 0x06,
+	0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
+	0x01, 0x01, 0x04, 0x82, 0x02, 0x1D, 0x30, 0x82,
+	0x02, 0x19, 0x30, 0x81, 0x82, 0xA1, 0x11, 0x30,
+	0x0F, 0x31, 0x0D, 0x30, 0x0B, 0x06, 0x03, 0x55,
+	0x04, 0x03, 0x13, 0x04, 0x43, 0x41, 0x2D, 0x33,
+	0x18, 0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, 0x30,
+	0x31, 0x38, 0x31, 0x32, 0x33, 0x38, 0x35, 0x32,
+	0x5A, 0x30, 0x5C, 0x30, 0x5A, 0x30, 0x45, 0x30,
+	0x09, 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x1A,
+	0x05, 0x00, 0x04, 0x14, 0xB7, 0xCA, 0x0F, 0xAB,
+	0xDC, 0x6F, 0xB8, 0xB0, 0x96, 0x7A, 0x15, 0xAC,
+	0x98, 0x0A, 0x0F, 0x19, 0xFE, 0xA4, 0x12, 0xDE,
+	0x04, 0x14, 0x1E, 0x85, 0xED, 0x7F, 0x9E, 0x71,
+	0xFA, 0x08, 0x9D, 0x37, 0x48, 0x43, 0xA0, 0x12,
+	0xEF, 0xE5, 0xAA, 0xE1, 0xE3, 0x8A, 0x02, 0x0C,
+	0x57, 0xA3, 0x1D, 0x32, 0x35, 0xB3, 0x4F, 0xD0,
+	0xB9, 0xF5, 0xE7, 0x3C, 0x82, 0x00, 0x18, 0x0F,
+	0x32, 0x30, 0x31, 0x37, 0x31, 0x30, 0x31, 0x38,
+	0x31, 0x32, 0x33, 0x38, 0x35, 0x32, 0x5A, 0x30,
+	0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
+	0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82,
+	0x01, 0x81, 0x00, 0xB3, 0x0F, 0x6A, 0xB0, 0x7D,
+	0x2B, 0xDE, 0xC3, 0x95, 0x3E, 0x05, 0x98, 0xC7,
+	0x4F, 0x49, 0xCA, 0x13, 0xEE, 0x80, 0x00, 0xB1,
+	0xAA, 0xF8, 0x5F, 0x12, 0x8B, 0x53, 0xDF, 0xA8,
+	0xAD, 0xA8, 0x6D, 0xEC, 0x7F, 0x96, 0x4C, 0x06,
+	0x12, 0xA6, 0x70, 0xB1, 0x87, 0xFB, 0xA0, 0x47,
+	0x5E, 0xC6, 0xD2, 0x3B, 0x73, 0x4F, 0x32, 0x30,
+	0x9C, 0xB4, 0x05, 0x03, 0x24, 0x7D, 0x30, 0x36,
+	0x0A, 0xA7, 0x83, 0xA6, 0xE1, 0x8A, 0x90, 0xEE,
+	0xBF, 0xB8, 0xDC, 0x38, 0x88, 0xA8, 0xA5, 0x54,
+	0xDB, 0x95, 0x9C, 0xAD, 0x58, 0x9F, 0x51, 0xBB,
+	0x64, 0x47, 0xE2, 0xDB, 0x8C, 0x7F, 0x81, 0x93,
+	0x55, 0x07, 0xBC, 0x51, 0x3C, 0x98, 0x23, 0x97,
+	0x64, 0x1F, 0x9C, 0x99, 0x0C, 0xA3, 0x19, 0xAA,
+	0x75, 0x45, 0x7D, 0x1D, 0x9E, 0x3D, 0x96, 0x9B,
+	0x8F, 0x2F, 0x53, 0x0A, 0xA9, 0xEF, 0x59, 0xC0,
+	0xF0, 0x06, 0x1C, 0x5C, 0xBE, 0x7B, 0xE7, 0x16,
+	0x78, 0xAD, 0xBF, 0x43, 0x0E, 0x16, 0xA8, 0x57,
+	0x68, 0x77, 0x4B, 0x46, 0x65, 0xBB, 0x82, 0x0D,
+	0x6E, 0xDB, 0x83, 0x21, 0x5B, 0x31, 0x27, 0x9D,
+	0xE4, 0xAA, 0x41, 0xA3, 0x8D, 0x50, 0x78, 0xFD,
+	0x1D, 0x11, 0xB6, 0xA0, 0x97, 0x38, 0x8D, 0x93,
+	0x84, 0xC2, 0xB7, 0x49, 0xF0, 0xD6, 0xAB, 0x0C,
+	0xC5, 0xF6, 0xD6, 0x00, 0xEF, 0xAD, 0xD5, 0x55,
+	0x78, 0xBE, 0x83, 0xEC, 0x37, 0xA3, 0x2B, 0xF8,
+	0x66, 0xD3, 0xFC, 0x41, 0x45, 0x8E, 0x55, 0x46,
+	0x38, 0x6B, 0x3A, 0x44, 0x95, 0x7D, 0x70, 0xAA,
+	0x83, 0xBC, 0xCE, 0x75, 0x23, 0xC6, 0xCD, 0x40,
+	0xCD, 0x13, 0x8B, 0x51, 0xE2, 0xCF, 0x2B, 0xC1,
+	0x8C, 0x2D, 0x52, 0x19, 0x2C, 0xFD, 0xFA, 0xD4,
+	0x9D, 0xA4, 0x2E, 0x07, 0x23, 0xD0, 0x67, 0x6A,
+	0x18, 0x85, 0x47, 0xE4, 0xDE, 0x78, 0xA7, 0xA6,
+	0xE5, 0xE4, 0xE8, 0x12, 0x50, 0xFD, 0xC4, 0x74,
+	0xA6, 0xC5, 0x45, 0x9C, 0x82, 0x55, 0x9D, 0xA7,
+	0xF0, 0x37, 0xAB, 0xDC, 0x27, 0xFD, 0x3E, 0xD7,
+	0xEF, 0x19, 0x5E, 0xD9, 0x7B, 0x80, 0xAF, 0xFC,
+	0x20, 0x8D, 0xEA, 0xB2, 0x64, 0x93, 0x9E, 0x0F,
+	0xE9, 0xAB, 0x8F, 0xEA, 0x91, 0x09, 0x83, 0x41,
+	0x12, 0x18, 0x2E, 0x5F, 0xA2, 0x9E, 0x47, 0x14,
+	0x2C, 0x95, 0x33, 0xE5, 0xBF, 0xA2, 0xDD, 0x00,
+	0xD5, 0xCC, 0x4D, 0xD3, 0xE7, 0x07, 0x62, 0x5A,
+	0x81, 0xD4, 0xD4, 0x21, 0xA2, 0x52, 0xEA, 0x7B,
+	0x7A, 0x6C, 0x0E, 0x32, 0x76, 0x12, 0x82, 0x0A,
+	0x2E, 0xD3, 0x79, 0x75, 0x12, 0xCE, 0xEB, 0x3E,
+	0x4B, 0xEF, 0x80, 0xB0, 0xC2, 0x22, 0x75, 0x49,
+	0xE2, 0xE1, 0xF1, 0x7C, 0x89, 0xB6, 0xBF, 0xDE,
+	0x7B, 0xD4, 0x67, 0x14, 0x1E, 0x7A, 0x5C, 0x2C,
+	0xCE, 0xEE, 0x5C, 0xA1, 0x6C, 0x73, 0xF1, 0xFD,
+	0x54, 0xFA, 0x43
+};
+
+const char _ocsp_subca3_unknown_pem[] =
+	"-----BEGIN OCSP RESPONSE-----\n"
+	"MIIGUwoBAKCCBkwwggZIBgkrBgEFBQcwAQEEggY5MIIGNTCBhaEUMBIxEDAOBgNV\n"
+	"BAMTB3N1YkNBLTMYDzIwMTcxMDE4MTIwOTMwWjBcMFowRTAJBgUrDgMCGgUABBSy\n"
+	"5lyOboNLvRHZl/o2k1merVwVxAQUnpHsjKokWyLg6BHo6aSRtZEmAPECDFejHTI2\n"
+	"yAyhyrC99oIAGA8yMDE3MTAxODEyMDkzMFowDQYJKoZIhvcNAQENBQADggGBAFZk\n"
+	"KxCq5yZ/8X+Glw4YtHWSZRIrRp8+lpjkqxDRDuoI4qUBdaRbdqxJK57xSvJ5Ok4V\n"
+	"gf9N02WOrkq7MzWLD7ZdMu/14SW/vVIdmfI04Ps4NGya71OykMb7daCMvGuO2N4z\n"
+	"5G/yrfKiT8JYR+JobTo6swqCPaSFAFg+ADWdax//n66wmuLHDpqzfFLp2lBXNXJx\n"
+	"gafAQCjqK84JRx2xgEFZ9l3TPOoR2BO5DzJqKXK+wcMbtUxNDaHV8MTsxVqTQXoB\n"
+	"JLN6cYKjxghCkQ5r54YLr77fB1qMNfhffy9gBN0q8g3AHG+gMICkNYPTw8w1Rjbr\n"
+	"6bE8CI/MXcrZrz7UWLuQXe8BnNk+Vn7PE6oRxCLSoJ8b6fB4cDvMIX1rRpc/Owxb\n"
+	"j6gockpBTebdLr3xpB6iopRurTPCVtMpz3VeNVnrB3gjCyBO62ErRncKn6RXqEVF\n"
+	"bo+01Zz8hHjDgtm2p9V24CMJK5p8fLVthJ0fRwyc1oYr3fT6l+dy50JSdOhNAaCC\n"
+	"BBUwggQRMIIEDTCCAnWgAwIBAgIMV6MdMjWzT9C59ec8MA0GCSqGSIb3DQEBCwUA\n"
+	"MA8xDTALBgNVBAMTBENBLTMwIBcNMTYwNTEwMDg0ODMwWhgPOTk5OTEyMzEyMzU5\n"
+	"NTlaMBIxEDAOBgNVBAMTB3N1YkNBLTMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAw\n"
+	"ggGKAoIBgQCgOcNXzStOnRFoi05aMRLeMB45X4a2srSBul3ULxDSGjIP0EEl//X2\n"
+	"WLiope/xNL8bPCRpI1sSVXl8Hb1cK3qWNGazVmC7xW07NxL26I86e3/BVRnq8ioV\n"
+	"tvPQwEpvuI8F97x1vL/n+cfcdkN77NScr5C9jHMVioRvC+qKz9bUBx5DSySV66PR\n"
+	"5+wGsJDvkfsmjVOgqiTlSWQS5G3nMMq0Rixsc5dP5Wygkbdh9+45UCtObcnHABJr\n"
+	"P+GtLiG0AOUx6oPzPteZL13erWXg7zYusTarj9rTcdsgR/Im1mIzmD2i7GhJo4Gj\n"
+	"0Sk3Rq93JyeA+Ay5UPmqcm+dqX00b49MTTv4GtO53kLQSCXYFJ96jcMiXMzBFJD1\n"
+	"ROsdk4WUed/tJMHffttDz9j3WcuX9M2nzTT2xlauokjbEAhRDRw5fxCFZh7TbmaH\n"
+	"4vysDO9UZXVEXSLKonQ2Lmyso48s/G30VmlSjtPtJqRsv/oPpCO/c0D6BrkHV55B\n"
+	"48xfmyIFjgECAwEAAaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMD\n"
+	"BwYAMB0GA1UdDgQWBBQtMwQbJ3+UBHzH4zVP6SWklOG3oTAfBgNVHSMEGDAWgBT5\n"
+	"qIYZY7akFBNgdg8BmjU27/G0rzANBgkqhkiG9w0BAQsFAAOCAYEAMii5Gx3/d/58\n"
+	"oDRy5a0oPvQhkU0dKa61NfjjOz9uqxNSilLJE7jGJPaG2tKtC/XU1Ybql2tqQY68\n"
+	"kogjKs31QC6RFkoZAFouTJt11kzbgVWKewCk3/OrA0/ZkRrAfE0Pma/NITRwTHmT\n"
+	"sQOdv/bzR+xIPhjKxKrKyJFMG5xb+Q0OKSbd8kDpgYWKob5x2jsNYgEDp8nYSRT4\n"
+	"5SGw7c7FcumkXz2nA6r5NwbnhELvNFK8fzsY+QJKHaAlJ9CclliP1PiiAcl2LQo2\n"
+	"gaygWNiD+ggnqzy7nqam9rieOOMHls1kKFAFrWy2g/cBhTfS+/7Shpex7NK2GAiu\n"
+	"jgUV0TZHEyEZt6um4gLS9vwUKs/R4XS9VL/bBlfAy2hAVTeUejiRBGeTJkqBu7+c\n"
+	"4FdrCByVhaeQASMYu/lga8eaGL1zJbJe2BQWI754KDYDT9qKNqGlgysr4AVje7z1\n"
+	"Y1MQ72SnfrzYSQw6BB85CurB6iou3Q+eM4o4g/+xGEuDo0Ne/8ir\n"
+	"-----END OCSP RESPONSE-----\n";
+
+static gnutls_datum_t ocsp_subca3_unknown = {
+	(void *)_ocsp_subca3_unknown, sizeof(_ocsp_subca3_unknown)
+};
+
+static gnutls_datum_t ocsp_subca3_unknown_pem = {
+	(void *)_ocsp_subca3_unknown_pem, sizeof(_ocsp_subca3_unknown_pem)-1
+};
+
+#endif
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection b/tests/ocsp-tests/ocsp-must-staple-connection
index 3caf25535b..5ec896207d 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection
+++ b/tests/ocsp-tests/ocsp-must-staple-connection
@@ -203,7 +203,7 @@ launch_bare_server $$ \
 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
 	  --x509certfile="${SERVER_CERT_FILE}" \
 	  --port="${TLS_SERVER_PORT}" \
-	  --ocsp-response="${OCSP_RESPONSE_FILE}"
+	  --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
 TLS_SERVER_PID="${!}"
 wait_server $TLS_SERVER_PID
 
@@ -238,7 +238,7 @@ launch_bare_server $$ \
 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
 	  --x509certfile="${SERVER_CERT_FILE}" \
 	  --port="${TLS_SERVER_PORT}" \
-	  --ocsp-response="${OCSP_RESPONSE_FILE}"
+	  --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
 TLS_SERVER_PID="${!}"
 wait_server $TLS_SERVER_PID
 
@@ -274,7 +274,7 @@ launch_bare_server $$ \
 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
 	  --x509certfile="${SERVER_CERT_FILE}" \
 	  --port="${TLS_SERVER_PORT}" \
-	  --ocsp-response="${OCSP_RESPONSE_FILE}"
+	  --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
 TLS_SERVER_PID="${!}"
 wait_server $TLS_SERVER_PID
 
@@ -301,7 +301,7 @@ echo "=== Test 5: Server with valid certificate - expired staple ==="
 rm -f "${OCSP_RESPONSE_FILE}"
 
 # Generate an OCSP response which expires in 2 days and use it after
-# a month.
+# a month. gnutls server doesn't send such a staple to clients.
 ${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
 datefudge -s ${EXP_OCSP_DATE} \
 	${OPENSSL} ocsp -index "${INDEXFILE}" -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}" -ndays 2
@@ -310,12 +310,29 @@ eval "${GETPORT}"
 # Port for gnutls-serv
 TLS_SERVER_PORT=$PORT
 PORT=${TLS_SERVER_PORT}
+
+TIMEOUT=$(which timeout)
+if test -n "$TIMEOUT";then
+${TIMEOUT} 30 "${GNUTLS_SERV}" --echo --disable-client-cert \
+	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+	  --x509certfile="${SERVER_CERT_FILE}" \
+	  --port="${TLS_SERVER_PORT}" \
+	  --ocsp-response="${OCSP_RESPONSE_FILE}"
+if test $? != 1;then
+    echo "Running gnutls-serv with an expired response, succeeds!"
+    exit ${rc}
+fi
+fi
+
+echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ==="
+
 launch_bare_server $$ \
 	  datefudge "${TESTDATE}" \
 	  "${GNUTLS_SERV}" --echo --disable-client-cert \
 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
 	  --x509certfile="${SERVER_CERT_FILE}" \
 	  --port="${TLS_SERVER_PORT}" \
+	  --ignore-ocsp-response-errors \
 	  --ocsp-response="${OCSP_RESPONSE_FILE}"
 TLS_SERVER_PID="${!}"
 wait_server $TLS_SERVER_PID
@@ -359,7 +376,7 @@ launch_bare_server $$ \
 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
 	  --x509certfile="${SERVER_CERT_FILE}" \
 	  --port="${TLS_SERVER_PORT}" \
-	  --ocsp-response="${OCSP_RESPONSE_FILE}"
+	  --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
 TLS_SERVER_PID="${!}"
 wait_server $TLS_SERVER_PID
 
diff --git a/tests/set_x509_key_file_ocsp.c b/tests/set_x509_key_file_ocsp.c
index 99be433b14..d668550932 100644
--- a/tests/set_x509_key_file_ocsp.c
+++ b/tests/set_x509_key_file_ocsp.c
@@ -47,10 +47,212 @@ static time_t mytime(time_t * t)
 	return then;
 }
 
-#define RESP1 "\x30\x82\x06\x8C\x0A\x01\x00\xA0\x82\x06\x85\x30\x82\x06\x81\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x06\x72\x30\x82\x06\x6E\x30\x82\x01\x07\xA1\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\x30\x64\x30\x62\x30\x3A\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x13\x9D\xA0\x9E\xF4\x32\xAB\x8F\xE2\x89\x56\x67\xFA\xD0\xD4\xE3\x35\x86\x71\xB9\x04\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\x02\x01\x1D\x80\x00\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\xA0\x11\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x39\x32\x38\x5A\xA1\x23\x30\x21\x30\x1F\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x02\x04\x12\x04\x10\x16\x89\x7D\x91\x3A\xB5\x25\xA4\x45\xFE\xC9\xFD\xC2\xE5\x08\xA4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4E\xAD\x6B\x2B\xF7\xF2\xBF\xA9\x23\x1E\x3A\x0B\x06\xDB\x55\x53\x2B\x64\x54\x11\x32\xBF\x60\xF7\x4F\xE0\x8E\x9B\xA0\xA2\x4C\x79\xC3\x2A\xE0\x43\xF7\x40\x1A\xDC\xB9\xB4\x25\xEF\x48\x01\x97\x8C\xF5\x1E\xDB\xD1\x30\x37\x73\x69\xD6\xA7\x7A\x2D\x8E\xDE\x5C\xAA\xEA\x39\xB9\x52\xAA\x25\x1E\x74\x7D\xF9\x78\x95\x8A\x92\x1F\x98\x21\xF4\x60\x7F\xD3\x28\xEE\x47\x9C\xBF\xE2\x5D\xF6\x3F\x68\x0A\xD6\xFF\x08\xC1\xDC\x95\x1E\x29\xD7\x3E\x85\xD5\x65\xA4\x4B\xC0\xAF\xC3\x78\xAB\x06\x98\x88\x19\x8A\x64\xA6\x83\x91\x87\x13\xDB\x17\xCC\x46\xBD\xAB\x4E\xC7\x16\xD1\xF8\x35\xFD\x27\xC8\xF6\x6B\xEB\x37\xB8\x08\x6F\xE2\x6F\xB4\x7E\xD5\x68\xDB\x7F\x5D\x5E\x36\x38\xF2\x77\x59\x13\xE7\x3E\x4D\x67\x5F\xDB\xA2\xF5\x5D\x7C\xBF\xBD\xB5\x37\x33\x51\x36\x63\xF8\x21\x1E\xFC\x73\x8F\x32\x69\xBB\x97\xA7\xBD\xF1\xB6\xE0\x40\x09\x68\xEA\xD5\x93\xB8\xBB\x39\x8D\xA8\x16\x1B\xBF\x04\x7A\xBC\x18\x43\x01\xE9\x3C\x19\x5C\x4D\x4B\x98\xD8\x23\x37\x39\xA4\xC4\xDD\xED\x9C\xEC\x37\xAB\x66\x44\x9B\xE7\x5B\x5D\x32\xA2\xDB\xA6\x0B\x3B\x8C\xE1\xF5\xDB\xCB\x7D\x58\xA0\x82\x04\x4B\x30\x82\x04\x47\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x39\x31\x31\x32\x34\x31\x32\x35\x31\x35\x33\x5A\x17\x0D\x31\x34\x31\x31\x32\x33\x31\x32\x35\x31\x35\x33\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x05\x3E\x4B\xBE\xC6\xB1\x33\x48\x0E\xC3\xD4\x0C\xEF\x83\x0B\xBD\xBC\x57\x5F\x14\xEF\xF5\x6D\x0B\xFF\xFA\x01\x9C\xFA\x21\x6D\x5C\xAE\x79\x29\x74\xFE\xBD\xAB\x70\x87\x98\x6B\x48\x35\x79\xE3\xE0\xC1\x14\x41\x1F\x0A\xF7\xE7\xA3\xA6\xDA\x6B\xFF\xCD\x74\xE9\x95\x00\x38\xAA\xD6\x3A\x60\xC6\x64\xA1\xE6\x02\x39\x58\x4E\xFD\xF2\x78\x08\x63\xB6\xD7\x7A\x96\x79\x62\x18\x39\xEE\x27\x8D\x3B\xA2\x3D\x48\x88\xDB\x43\xD6\x6A\x77\x20\x6A\x27\x39\x50\xE0\x02\x50\x19\xF2\x7A\xCF\x78\x23\x99\x01\xD4\xE5\xB1\xD1\x31\xE6\x6B\x84\xAF\xD0\x77\x41\x46\x85\xB0\x3B\xE6\x6A\x00\x0F\x3B\x7E\x95\x7F\x59\xA8\x22\xE8\x49\x49\x05\xC8\xCB\x6C\xEE\x47\xA7\x2D\xC9\x74\x5B\xEB\x8C\xD5\x99\xC2\xE2\x70\xDB\xEA\x87\x43\x84\x0E\x4F\x83\x1C\xA6\xEB\x1F\x22\x38\x17\x69\x9B\x72\x12\x95\x48\x71\xB2\x7B\x92\x73\x52\xAB\xE3\x1A\xA5\xD3\xF4\x44\x14\xBA\xC3\x35\xDA\x91\x6C\x7D\xB4\xC2\x00\x07\xD8\x0A\x51\xF1\x0D\x4C\xD9\x7A\xD1\x99\xE6\xA8\x8D\x0A\x80\xA8\x91\xDD\x8A\xA2\x6B\xF6\xDB\xB0\x3E\xC9\x71\xA9\xE0\x39\xC3\xA3\x58\x0D\x87\xD0\xB2\xA7\x9C\xB7\x69\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x09\x06\x03\x55\x1D\x13\x04\x02\x30\x00\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x03\xA8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x34\x91\x6E\x91\x32\xBF\x35\x25\x43\xCC\x28\x74\xEF\x82\xC2\x57\x92\x79\x13\x73\x30\x6D\x06\x03\x55\x1D\x23\x04\x66\x30\x64\x80\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x01\x00\x30\x1E\x06\x03\x55\x1D\x11\x04\x17\x30\x15\x82\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x13\x06\x03\x55\x1D\x25\x04\x0C\x30\x0A\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x2F\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6D\x78\xD7\x66\x90\xA6\xEB\xDD\xB5\x09\x48\xA4\xDA\x27\xFA\xAC\xB1\xBC\x8F\x8C\xBE\xCC\x8C\x09\xA2\x40\x0D\x6C\x4A\xAE\x72\x22\x1E\xC8\xAF\x6D\xF1\x12\xAF\xD7\x40\x51\x79\xD4\xDD\xB2\x0C\xDB\x97\x84\xB6\x24\xD5\xF5\xA8\xBB\xC0\x4B\xF9\x7F\x71\xF7\xB0\x65\x42\x4A\x7D\xFE\x76\x7E\x05\xD2\x46\xB8\x7D\xB3\x39\x4C\x5C\xB1\xFA\xB9\xEE\x3B\x70\x33\x39\x57\x1A\xB9\x95\x51\x33\x00\x25\x1B\x4C\xAA\xB4\xA7\x55\xAF\x63\x6D\x6F\x88\x17\x6A\x7F\xB0\x97\xDE\x49\x14\x6A\x27\x6A\xB0\x42\x80\xD6\xA6\x9B\xEF\x04\x5E\x11\x7D\xD5\x8E\x54\x20\xA2\x76\xD4\x66\x58\xAC\x9C\x12\xD3\xF5\xCA\x54\x98\xCA\x21\xEC\xC1\x55\xA1\x2F\x68\x0B\x5D\x04\x50\xD2\x5E\x70\x25\xD8\x13\xD9\x44\x51\x0E\x8A\x42\x08\x18\x84\xE6\x61\xCE\x5A\x7D\x7B\x81\x35\x90\xC3\xD4\x9D\x19\xB6\x37\xEE\x8F\x63\x5C\xDA\xD8\xF0\x64\x60\x39\xEB\x9B\x1C\x54\x66\x75\x76\xB5\x0A\x58\xB9\x3F\x91\xE1\x21\x9C\xA0\x50\x15\x97\xB6\x7E\x41\xBC\xD0\xC4\x21\x4C\xF5\xD7\xF0\x13\xF8\x77\xE9\x74\xC4\x8A\x0E\x20\x17\x32\xAE\x38\xC2\xA5\xA8\x62\x85\x17\xB1\xA2\xD3\x22\x9F\x95\xB7\xA3\x4C"
+static const unsigned char _resp[] = {
+0x30, 0x82, 0x06, 0x45, 0x0A, 0x01, 0x00, 0xA0,
+0x82, 0x06, 0x3E, 0x30, 0x82, 0x06, 0x3A, 0x06,
+0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
+0x01, 0x01, 0x04, 0x82, 0x06, 0x2B, 0x30, 0x82,
+0x06, 0x27, 0x30, 0x81, 0x9E, 0xA2, 0x16, 0x04,
+0x14, 0x1E, 0xA5, 0xBD, 0xCA, 0x59, 0x64, 0x55,
+0x85, 0xAC, 0xDA, 0x54, 0x34, 0x23, 0x40, 0xD1,
+0xF6, 0xBD, 0xC3, 0xB0, 0xF6, 0x18, 0x0F, 0x32,
+0x30, 0x31, 0x37, 0x31, 0x31, 0x31, 0x39, 0x30,
+0x39, 0x34, 0x33, 0x34, 0x37, 0x5A, 0x30, 0x73,
+0x30, 0x71, 0x30, 0x49, 0x30, 0x09, 0x06, 0x05,
+0x2B, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04,
+0x14, 0xD1, 0xB1, 0x64, 0x8B, 0x8C, 0x9F, 0x0D,
+0xD1, 0x6B, 0xA3, 0x8A, 0xCD, 0x2B, 0x50, 0x17,
+0xD5, 0xF9, 0xCF, 0xC0, 0x64, 0x04, 0x14, 0x5F,
+0x60, 0xCF, 0x61, 0x90, 0x55, 0xDF, 0x84, 0x43,
+0x14, 0x8A, 0x60, 0x2A, 0xB2, 0xF5, 0x7A, 0xF4,
+0x43, 0x18, 0xEF, 0x02, 0x10, 0x28, 0x2E, 0x96,
+0xB3, 0x6B, 0x76, 0xD6, 0xD8, 0x52, 0x46, 0xED,
+0xBB, 0x31, 0xB2, 0x0C, 0x98, 0x80, 0x00, 0x18,
+0x0F, 0x32, 0x30, 0x31, 0x37, 0x31, 0x31, 0x31,
+0x39, 0x30, 0x39, 0x34, 0x33, 0x34, 0x37, 0x5A,
+0xA0, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x31, 0x37,
+0x31, 0x31, 0x32, 0x36, 0x30, 0x39, 0x34, 0x33,
+0x34, 0x37, 0x5A, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x05,
+0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x54,
+0x66, 0x9D, 0x96, 0x6B, 0x9D, 0x71, 0x18, 0x86,
+0x90, 0x5D, 0xD9, 0x54, 0x9C, 0xC4, 0x7F, 0x18,
+0x51, 0xE9, 0xFE, 0xF3, 0xE6, 0x48, 0x60, 0x89,
+0x74, 0xFD, 0xF1, 0x6D, 0xDB, 0x1F, 0x5A, 0x28,
+0x3D, 0x16, 0xEA, 0xA6, 0xD6, 0xE0, 0xAA, 0x42,
+0xF9, 0x5B, 0x76, 0xA1, 0x59, 0xDA, 0x30, 0x8D,
+0x08, 0x18, 0xDD, 0x60, 0x39, 0x0B, 0x90, 0x64,
+0x11, 0x1E, 0x9D, 0xA2, 0x70, 0x18, 0xAD, 0xC6,
+0x27, 0xD3, 0xF1, 0xBA, 0x11, 0x4E, 0xF6, 0x9D,
+0x6C, 0xC5, 0xEB, 0xD6, 0xB7, 0x43, 0x9D, 0x32,
+0x31, 0xC9, 0x24, 0x19, 0xB9, 0x47, 0x1C, 0x61,
+0x09, 0x8F, 0xAA, 0x42, 0x5B, 0xAF, 0x66, 0x0F,
+0x23, 0xAA, 0x80, 0xC0, 0x85, 0x7F, 0x00, 0x08,
+0xCA, 0x30, 0xE4, 0xC8, 0xDA, 0x2F, 0xC4, 0xD2,
+0x7E, 0x86, 0xCC, 0xDA, 0x6D, 0xD4, 0x7E, 0x40,
+0x66, 0xD8, 0x5C, 0x27, 0x83, 0xDA, 0x10, 0x8F,
+0x91, 0xA8, 0xE6, 0x9D, 0x44, 0x13, 0xF1, 0x04,
+0x4E, 0xC9, 0xF9, 0xC8, 0xA2, 0xED, 0x9C, 0x9F,
+0x05, 0xDA, 0xFA, 0x4A, 0xEA, 0xD2, 0x72, 0xF9,
+0xF1, 0xF6, 0xDB, 0xFF, 0xF8, 0x55, 0x0E, 0x92,
+0x75, 0xD6, 0x83, 0xBC, 0x7A, 0x95, 0xBE, 0xBF,
+0x8D, 0xD5, 0xA3, 0x23, 0x02, 0x32, 0xF8, 0x60,
+0xF7, 0x7C, 0x46, 0xC6, 0x69, 0x7E, 0xB7, 0x23,
+0xE1, 0x36, 0xC2, 0xEE, 0xBD, 0xFF, 0x3C, 0x05,
+0x5E, 0x07, 0x0C, 0xA6, 0x64, 0x65, 0x82, 0x46,
+0xC9, 0x67, 0x73, 0xC9, 0x15, 0xC8, 0xFA, 0x0F,
+0x73, 0xB5, 0x48, 0x0F, 0x0E, 0x6F, 0x43, 0xE8,
+0x8D, 0x7A, 0x21, 0x88, 0x12, 0x08, 0x37, 0x18,
+0x67, 0x66, 0x05, 0xD1, 0x2C, 0x4D, 0xE8, 0xA6,
+0x1B, 0x4D, 0x29, 0xD4, 0xEF, 0x79, 0x83, 0xDB,
+0xCA, 0x6E, 0xBC, 0xE4, 0xCA, 0x50, 0xB0, 0x73,
+0xEF, 0xD6, 0xC7, 0x69, 0xF6, 0x16, 0x1E, 0xA0,
+0x82, 0x04, 0x6E, 0x30, 0x82, 0x04, 0x6A, 0x30,
+0x82, 0x04, 0x66, 0x30, 0x82, 0x03, 0x4E, 0xA0,
+0x03, 0x02, 0x01, 0x02, 0x02, 0x10, 0x6F, 0x93,
+0x87, 0x5C, 0x4B, 0x9E, 0x94, 0x93, 0xF8, 0x5F,
+0x16, 0xA7, 0x05, 0x86, 0x82, 0x8C, 0x30, 0x0D,
+0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
+0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x7E, 0x31,
+0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+0x13, 0x02, 0x55, 0x53, 0x31, 0x1D, 0x30, 0x1B,
+0x06, 0x03, 0x55, 0x04, 0x0A, 0x13, 0x14, 0x53,
+0x79, 0x6D, 0x61, 0x6E, 0x74, 0x65, 0x63, 0x20,
+0x43, 0x6F, 0x72, 0x70, 0x6F, 0x72, 0x61, 0x74,
+0x69, 0x6F, 0x6E, 0x31, 0x1F, 0x30, 0x1D, 0x06,
+0x03, 0x55, 0x04, 0x0B, 0x13, 0x16, 0x53, 0x79,
+0x6D, 0x61, 0x6E, 0x74, 0x65, 0x63, 0x20, 0x54,
+0x72, 0x75, 0x73, 0x74, 0x20, 0x4E, 0x65, 0x74,
+0x77, 0x6F, 0x72, 0x6B, 0x31, 0x2F, 0x30, 0x2D,
+0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x26, 0x53,
+0x79, 0x6D, 0x61, 0x6E, 0x74, 0x65, 0x63, 0x20,
+0x43, 0x6C, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20,
+0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53,
+0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x41,
+0x20, 0x2D, 0x20, 0x47, 0x34, 0x30, 0x1E, 0x17,
+0x0D, 0x31, 0x37, 0x31, 0x30, 0x31, 0x30, 0x30,
+0x30, 0x30, 0x30, 0x30, 0x30, 0x5A, 0x17, 0x0D,
+0x31, 0x38, 0x30, 0x31, 0x30, 0x38, 0x32, 0x33,
+0x35, 0x39, 0x35, 0x39, 0x5A, 0x30, 0x40, 0x31,
+0x3E, 0x30, 0x3C, 0x06, 0x03, 0x55, 0x04, 0x03,
+0x13, 0x35, 0x53, 0x79, 0x6D, 0x61, 0x6E, 0x74,
+0x65, 0x63, 0x20, 0x43, 0x6C, 0x61, 0x73, 0x73,
+0x20, 0x33, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72,
+0x65, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+0x20, 0x43, 0x41, 0x20, 0x2D, 0x20, 0x47, 0x34,
+0x20, 0x4F, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65,
+0x73, 0x70, 0x6F, 0x6E, 0x64, 0x65, 0x72, 0x30,
+0x82, 0x01, 0x22, 0x30, 0x0D, 0x06, 0x09, 0x2A,
+0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01,
+0x05, 0x00, 0x03, 0x82, 0x01, 0x0F, 0x00, 0x30,
+0x82, 0x01, 0x0A, 0x02, 0x82, 0x01, 0x01, 0x00,
+0xBA, 0xB1, 0x3E, 0xBD, 0xF0, 0x1E, 0x19, 0x16,
+0xEA, 0x20, 0x44, 0x73, 0x1F, 0xD8, 0x85, 0x17,
+0xC4, 0xBF, 0x86, 0xF0, 0x75, 0x46, 0x02, 0xA8,
+0x5B, 0x7F, 0xA8, 0xF8, 0xB2, 0x08, 0x08, 0x55,
+0x01, 0xDD, 0x5B, 0xA4, 0x0B, 0xBD, 0x8A, 0x0A,
+0x87, 0x90, 0x62, 0x21, 0x59, 0x67, 0x33, 0x36,
+0x77, 0x49, 0xAB, 0x69, 0x4B, 0xDB, 0xB8, 0xFC,
+0x27, 0xA9, 0x81, 0x4A, 0x1F, 0x5F, 0x7D, 0x5C,
+0xC2, 0xE6, 0x54, 0x12, 0xFB, 0xA7, 0xEB, 0x9F,
+0xB5, 0xAC, 0x05, 0xBE, 0xA9, 0x58, 0xAA, 0x49,
+0x32, 0xEE, 0x73, 0xE8, 0x2F, 0xB1, 0xD3, 0x2E,
+0x13, 0xBC, 0x26, 0x23, 0xA0, 0x82, 0xD4, 0x25,
+0x20, 0x34, 0xAE, 0x16, 0x48, 0xFB, 0x55, 0x2B,
+0x58, 0xC9, 0xC4, 0x84, 0xAC, 0xF7, 0xC4, 0x78,
+0x62, 0xB7, 0xBF, 0xA2, 0x32, 0xC7, 0x34, 0x1C,
+0xDF, 0x9E, 0xFE, 0xA8, 0x04, 0x85, 0xAF, 0xCB,
+0x5A, 0xD6, 0xC6, 0x68, 0x9F, 0x28, 0x03, 0xB7,
+0x98, 0x8E, 0xD4, 0xA5, 0xE1, 0x18, 0xD1, 0x64,
+0x79, 0x67, 0x04, 0x33, 0x6C, 0x4B, 0xE0, 0xCF,
+0x34, 0xFC, 0x81, 0x27, 0x98, 0x16, 0xBB, 0xA3,
+0x9F, 0xE1, 0x4D, 0x2B, 0x71, 0x21, 0x41, 0x90,
+0xFF, 0x20, 0xB8, 0x4A, 0xCF, 0xB2, 0x2D, 0xB1,
+0xF8, 0x89, 0x40, 0xBC, 0xB3, 0x9F, 0x94, 0x1C,
+0xF4, 0x68, 0xEA, 0x7B, 0x31, 0x29, 0xDA, 0x71,
+0xCC, 0x37, 0x9A, 0xF9, 0x36, 0x0B, 0x58, 0x11,
+0x6F, 0x28, 0x14, 0x6F, 0xAF, 0x57, 0x6B, 0xD7,
+0xBD, 0x36, 0x98, 0xF4, 0x6C, 0x84, 0xF8, 0x48,
+0xF1, 0xBF, 0x88, 0xEB, 0x5C, 0x06, 0x8B, 0x02,
+0xF1, 0xDF, 0x6A, 0xFD, 0x61, 0xCF, 0x05, 0x5E,
+0xB5, 0x99, 0x85, 0x31, 0x41, 0x1D, 0xE5, 0x67,
+0x5C, 0x83, 0xA2, 0xBA, 0x9C, 0x9C, 0x37, 0x44,
+0xEF, 0xBC, 0x0E, 0xDE, 0xBF, 0x91, 0x5B, 0x1F,
+0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01,
+0x1C, 0x30, 0x82, 0x01, 0x18, 0x30, 0x0F, 0x06,
+0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
+0x01, 0x05, 0x04, 0x02, 0x05, 0x00, 0x30, 0x22,
+0x06, 0x03, 0x55, 0x1D, 0x11, 0x04, 0x1B, 0x30,
+0x19, 0xA4, 0x17, 0x30, 0x15, 0x31, 0x13, 0x30,
+0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0A,
+0x54, 0x47, 0x56, 0x2D, 0x45, 0x2D, 0x33, 0x32,
+0x35, 0x36, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D,
+0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x5F,
+0x60, 0xCF, 0x61, 0x90, 0x55, 0xDF, 0x84, 0x43,
+0x14, 0x8A, 0x60, 0x2A, 0xB2, 0xF5, 0x7A, 0xF4,
+0x43, 0x18, 0xEF, 0x30, 0x1D, 0x06, 0x03, 0x55,
+0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x1E, 0xA5,
+0xBD, 0xCA, 0x59, 0x64, 0x55, 0x85, 0xAC, 0xDA,
+0x54, 0x34, 0x23, 0x40, 0xD1, 0xF6, 0xBD, 0xC3,
+0xB0, 0xF6, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D,
+0x13, 0x01, 0x01, 0xFF, 0x04, 0x02, 0x30, 0x00,
+0x30, 0x6E, 0x06, 0x03, 0x55, 0x1D, 0x20, 0x04,
+0x67, 0x30, 0x65, 0x30, 0x63, 0x06, 0x0B, 0x60,
+0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x07,
+0x17, 0x03, 0x30, 0x54, 0x30, 0x26, 0x06, 0x08,
+0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01,
+0x16, 0x1A, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
+0x2F, 0x77, 0x77, 0x77, 0x2E, 0x73, 0x79, 0x6D,
+0x61, 0x75, 0x74, 0x68, 0x2E, 0x63, 0x6F, 0x6D,
+0x2F, 0x63, 0x70, 0x73, 0x30, 0x2A, 0x06, 0x08,
+0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x02,
+0x30, 0x1E, 0x1A, 0x1C, 0x20, 0x20, 0x68, 0x74,
+0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77,
+0x2E, 0x73, 0x79, 0x6D, 0x61, 0x75, 0x74, 0x68,
+0x2E, 0x63, 0x6F, 0x6D, 0x2F, 0x72, 0x70, 0x61,
+0x30, 0x13, 0x06, 0x03, 0x55, 0x1D, 0x25, 0x04,
+0x0C, 0x30, 0x0A, 0x06, 0x08, 0x2B, 0x06, 0x01,
+0x05, 0x05, 0x07, 0x03, 0x09, 0x30, 0x0E, 0x06,
+0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04,
+0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x0D, 0x06,
+0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01,
+0x00, 0x45, 0xFF, 0xCA, 0xD2, 0xAC, 0x71, 0xBE,
+0xA5, 0x62, 0x86, 0x93, 0x30, 0xD0, 0xE5, 0xE5,
+0x87, 0xFC, 0xAA, 0x29, 0x73, 0x36, 0xD6, 0x66,
+0x33, 0xC4, 0xCB, 0xC5, 0x6E, 0xC6, 0x2C, 0x8C,
+0x8E, 0xEE, 0x4D, 0xC2, 0xFA, 0xB3, 0xC0, 0xE7,
+0x11, 0x02, 0x69, 0x7A, 0xC5, 0x89, 0x28, 0x86,
+0x31, 0xD5, 0x14, 0x43, 0x5A, 0x20, 0xB7, 0xBD,
+0x1C, 0x0B, 0x1C, 0x3C, 0x84, 0x58, 0xBA, 0x56,
+0x14, 0x5B, 0xB8, 0x38, 0x97, 0x18, 0x66, 0xD6,
+0x12, 0x51, 0x4B, 0x5A, 0x2D, 0x0D, 0x00, 0xA7,
+0xBA, 0x5A, 0xC9, 0x0C, 0x4B, 0x10, 0xDE, 0xF5,
+0xAE, 0x56, 0xA5, 0x24, 0xC6, 0x3E, 0x5E, 0xD9,
+0xF1, 0x39, 0x76, 0x0C, 0xD7, 0x4A, 0xBF, 0x19,
+0x1F, 0x14, 0xA4, 0x18, 0xEC, 0x0F, 0x5D, 0x47,
+0x00, 0x75, 0xF0, 0x4E, 0xB3, 0xA1, 0xB4, 0x81,
+0x7B, 0x97, 0xAC, 0x0A, 0xA8, 0x5E, 0x92, 0xCC,
+0xB0, 0x80, 0x53, 0x66, 0xFF, 0xC6, 0x1B, 0x71,
+0xAF, 0xE3, 0x46, 0x55, 0x9D, 0x26, 0x51, 0x97,
+0xB0, 0x66, 0x9D, 0x06, 0x70, 0xC5, 0x04, 0x78,
+0xBC, 0x99, 0x42, 0xBA, 0x77, 0x82, 0x0E, 0xE8,
+0x92, 0x18, 0x4A, 0x72, 0x92, 0x13, 0x25, 0x7F,
+0x40, 0x15, 0xF7, 0xA8, 0x07, 0xA2, 0xAD, 0x03,
+0xBA, 0x1C, 0xF2, 0x93, 0xBE, 0x14, 0x72, 0x69,
+0x2B, 0x85, 0xAC, 0x2E, 0x2C, 0xBF, 0x1C, 0xC6,
+0x6C, 0x91, 0xF3, 0x2F, 0xF0, 0xB0, 0x8A, 0xC3,
+0xB8, 0xAC, 0x9B, 0xD1, 0xA1, 0x4C, 0xB7, 0x34,
+0xCA, 0xC6, 0x90, 0x15, 0xA7, 0x39, 0xB4, 0xF1,
+0xED, 0x54, 0x53, 0x5C, 0x29, 0x6F, 0xCE, 0x97,
+0x3E, 0x72, 0x79, 0x24, 0xEA, 0xC8, 0x87, 0x21,
+0x5F, 0x40, 0xBF, 0x53, 0x37, 0x8E, 0xCA, 0x0B,
+0x44, 0xD0, 0x4B, 0x6E, 0xAD, 0x94, 0xFB, 0x0F,
+0x33, 0xFE, 0x86, 0xDF, 0x4C, 0xE9, 0x94, 0xBB,
+0x3F };
 
 static gnutls_datum_t ocsp_resp1 =
-    { (unsigned char *) RESP1, sizeof(RESP1) - 1 };
+    { (unsigned char *) _resp, sizeof(_resp) };
 
 static void check_response(gnutls_session_t session, void *priv)
 {
@@ -82,6 +284,7 @@ void doit(void)
 	const char *certfile;
 	const char *ocspfile1;
 	char certname[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE];
+	time_t t;
 	FILE *fp;
 
 	global_init();
@@ -112,18 +315,33 @@ void doit(void)
 	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
 	fclose(fp);
 
+	gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+
 	/* set OCSP response */
 	ocspfile1 = get_tmpname(ocspname1);
-	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0);
-	if (ret < 0)
-		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
-
 	fp = fopen(ocspfile1, "wb");
 	if (fp == NULL)
 		fail("error in fopen\n");
 	assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0);
 	fclose(fp);
 
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, 0);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0);
+	if (t != 1511689427)
+		fail("error in OCSP validity time: %ld\n", (long int)t);
+
+	t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0);
+	if (t != -1)
+		fail("error in OCSP validity time: %ld\n", (long int)t);
+
+	t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0);
+	if (t != 1511689427)
+		fail("error in OCSP validity time: %ld\n", (long int)t);
+
+
 	/* make sure that our invalid OCSP responses are not considered in verification
 	 */
 	gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
@@ -135,7 +353,9 @@ void doit(void)
 		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
 	}
 
-	test_cli_serv(xcred, clicred, "NORMAL", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
+	test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
+
+	test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL); /* the DNS name of the first cert */
 
 	gnutls_certificate_free_credentials(xcred);
 	gnutls_certificate_free_credentials(clicred);
diff --git a/tests/set_x509_key_file_ocsp_multi2.c b/tests/set_x509_key_file_ocsp_multi2.c
index 10c1b81a6f..b8dd927009 100644
--- a/tests/set_x509_key_file_ocsp_multi2.c
+++ b/tests/set_x509_key_file_ocsp_multi2.c
@@ -219,9 +219,19 @@ void doit(void)
 		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
 	}
 
-	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost", &ocsp_resp1, check_response, NULL);
-	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost6", &ocsp_resp2, check_response, NULL);
-	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA", NULL, &ocsp_resp3, check_response, NULL);
+	success("TLS1.2 + resp1\n");
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL);
+	success("TLS1.2 + resp2\n");
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost6", &ocsp_resp2, check_response, NULL);
+	success("TLS1.2 + resp3\n");
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA:-VERS-TLS-ALL:+VERS-TLS1.2", NULL, &ocsp_resp3, check_response, NULL);
+
+	success("TLS1.3 + resp1\n");
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL);
+	success("TLS1.3 + resp2\n");
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &ocsp_resp2, check_response, NULL);
+	success("TLS1.3 + resp3\n");
+	test_cli_serv(xcred, clicred, "NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:-ECDHE-RSA:-RSA:-DHE-RSA:-VERS-TLS-ALL:+VERS-TLS1.3", NULL, &ocsp_resp3, check_response, NULL);
 
 	gnutls_certificate_free_credentials(xcred);
 	gnutls_certificate_free_credentials(clicred);
diff --git a/tests/set_x509_key_file_ocsp_multi.c b/tests/set_x509_ocsp_multi_invalid.c
index b2847055e0..8afa910833 100644
--- a/tests/set_x509_key_file_ocsp_multi.c
+++ b/tests/set_x509_ocsp_multi_invalid.c
@@ -15,9 +15,8 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * General Public License for more details.
  *
- * You should have received a copy of the GNU General Public License
- * along with GnuTLS; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
  */
 
 #ifdef HAVE_CONFIG_H
@@ -181,40 +180,46 @@ void doit(void)
 
 	/* set OCSP response1 */
 	ocspfile1 = get_tmpname(ocspname1);
-	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1);
-	if (ret < 0)
-		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
-
 	fp = fopen(ocspfile1, "wb");
 	if (fp == NULL)
 		fail("error in fopen\n");
 	assert(fwrite(ocsp_resp1.data, 1, ocsp_resp1.size, fp)>0);
 	fclose(fp);
 
-	/* set OCSP response2 */
-	ocspfile2 = get_tmpname(ocspname2);
-	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile2, index2);
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1);
+	if (ret != GNUTLS_E_OCSP_MISMATCH_WITH_CERTS)
+		fail("unexpected error in setting invalid ocsp file: %s\n", gnutls_strerror(ret));
+
+	gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2|GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1);
 	if (ret < 0)
 		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
 
+	/* set OCSP response2 */
+	ocspfile2 = get_tmpname(ocspname2);
 	fp = fopen(ocspfile2, "wb");
 	if (fp == NULL)
 		fail("error in fopen\n");
 	assert(fwrite(ocsp_resp2.data, 1, ocsp_resp2.size, fp)>0);
 	fclose(fp);
 
-	/* set OCSP response3 */
-	ocspfile3 = get_tmpname(ocspname3);
-	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index3);
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile2, index2);
 	if (ret < 0)
 		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
 
+	/* set OCSP response3 */
+	ocspfile3 = get_tmpname(ocspname3);
 	fp = fopen(ocspfile3, "wb");
 	if (fp == NULL)
 		fail("error in fopen\n");
 	assert(fwrite(ocsp_resp3.data, 1, ocsp_resp3.size, fp)>0);
 	fclose(fp);
 
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index3);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
 	/* set an OCSP response outside the bounds */
 	assert(gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, 34) == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
 
@@ -229,9 +234,13 @@ void doit(void)
 		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
 	}
 
-	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost", &ocsp_resp1, check_response, NULL);
-	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA", "localhost6", &ocsp_resp2, check_response, NULL);
-	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA", NULL, &ocsp_resp3, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_resp1, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost6", &ocsp_resp2, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-RSA:-RSA:-DHE-RSA:-VERS-TLS-ALL:+VERS-TLS1.2", NULL, &ocsp_resp3, check_response, NULL);
+
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_resp1, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &ocsp_resp2, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-SIGN-ALL:+SIGN-ECDSA-SECP256R1-SHA256:-ECDHE-RSA:-DHE-RSA:-RSA:-VERS-TLS-ALL:+VERS-TLS1.3", NULL, &ocsp_resp3, check_response, NULL);
 
 	gnutls_certificate_free_credentials(xcred);
 	gnutls_certificate_free_credentials(clicred);
diff --git a/tests/set_x509_ocsp_multi_pem.c b/tests/set_x509_ocsp_multi_pem.c
new file mode 100644
index 0000000000..5b72a28a6c
--- /dev/null
+++ b/tests/set_x509_ocsp_multi_pem.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (C) 2016-2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#ifdef ENABLE_OCSP
+
+#include "cert-common.h"
+#include "ocsp-common.h"
+#include "utils.h"
+
+/* Tests whether setting an OCSP response to a server with multiple
+ * certificate sets, is working as expected */
+
+static time_t mytime(time_t * t)
+{
+	time_t then = OCSP_RESP_DATE;
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+static void check_response(gnutls_session_t session, void *priv)
+{
+	int ret;
+	gnutls_datum_t resp;
+	gnutls_datum_t *exp_resp = priv;
+
+	ret = gnutls_ocsp_status_request_get(session, &resp);
+	if (ret < 0) {
+		if (priv == NULL)
+			return;
+		fail("no response was received\n");
+	}
+
+	if (priv == NULL) {
+		fail("not expected response, but received one\n");
+	}
+
+	if (resp.size != exp_resp->size || memcmp(resp.data, exp_resp->data, resp.size) != 0) {
+		fail("did not receive the expected response\n");
+	}
+
+	/* Check intermediate response */
+	if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_3) {
+		ret = gnutls_ocsp_status_request_get2(session, 1, &resp);
+		if (ret < 0) {
+			fail("no intermediate response was received\n");
+		}
+
+		if (resp.size != ocsp_subca3_unknown.size || memcmp(resp.data, ocsp_subca3_unknown.data, resp.size) != 0) {
+			fail("did not receive the expected intermediate response\n");
+		}
+	}
+}
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+void doit(void)
+{
+	int ret;
+	gnutls_certificate_credentials_t xcred;
+	gnutls_certificate_credentials_t clicred;
+	const char *certfile1;
+	const char *ocspfile1;
+	char certname1[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE];
+	FILE *fp;
+	unsigned index1;
+	time_t t;
+
+	global_init();
+	gnutls_global_set_time_function(mytime);
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
+	assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
+
+	gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2);
+
+	certfile1 = get_tmpname(certname1);
+
+	/* set cert with localhost name */
+	fp = fopen(certfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0);
+	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index1 = ret;
+
+	/* set OCSP response1, include an unrelated OCSP response */
+	ocspfile1 = get_tmpname(ocspname1);
+	fp = fopen(ocspfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(ocsp_subca3_unknown_pem.data, 1, ocsp_subca3_unknown_pem.size, fp)>0);
+	assert(fwrite(ocsp_ca3_localhost_unknown_pem.data, 1, ocsp_ca3_localhost_unknown_pem.size, fp)>0);
+	assert(fwrite(ocsp_ca3_localhost6_unknown_pem.data, 1, ocsp_ca3_localhost6_unknown_pem.size, fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file2(xcred, ocspfile1, index1,
+							       GNUTLS_X509_FMT_PEM);
+	if (ret != GNUTLS_E_OCSP_MISMATCH_WITH_CERTS)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* set OCSP response1, include correct responses */
+	remove(ocspfile1);
+	fp = fopen(ocspfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(ocsp_subca3_unknown_pem.data, 1, ocsp_subca3_unknown_pem.size, fp)>0);
+	assert(fwrite(ocsp_ca3_localhost_unknown_pem.data, 1, ocsp_ca3_localhost_unknown_pem.size, fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file2(xcred, ocspfile1, index1,
+							       GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
+	}
+
+	t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 0, 0);
+	if (t != 1509625639)
+		fail("error in OCSP validity time: %ld\n", (long int)t);
+
+	t = gnutls_certificate_get_ocsp_expiration(xcred, 0, 1, 0);
+	if (t != 1509625639)
+		fail("error in OCSP validity time: %ld\n", (long int)t);
+
+	t = gnutls_certificate_get_ocsp_expiration(xcred, 0, -1, 0);
+	if (t != 1509625639)
+		fail("error in OCSP validity time: %ld\n", (long int)t);
+
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL);
+
+	gnutls_certificate_free_credentials(xcred);
+	gnutls_certificate_free_credentials(clicred);
+	gnutls_global_deinit();
+	remove(ocspfile1);
+	remove(certfile1);
+}
+
+#else
+void doit(void)
+{
+	exit(77);
+}
+#endif
diff --git a/tests/set_x509_ocsp_multi_unknown.c b/tests/set_x509_ocsp_multi_unknown.c
new file mode 100644
index 0000000000..b0f62ac668
--- /dev/null
+++ b/tests/set_x509_ocsp_multi_unknown.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2016-2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#ifdef ENABLE_OCSP
+
+#include "cert-common.h"
+#include "ocsp-common.h"
+#include "utils.h"
+
+/* Tests whether setting an OCSP response to a server with multiple
+ * certificate sets, is working as expected */
+
+static time_t mytime(time_t * t)
+{
+	time_t then = OCSP_RESP_DATE;
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+static void check_response(gnutls_session_t session, void *priv)
+{
+	int ret;
+	gnutls_datum_t resp;
+	gnutls_datum_t *exp_resp = priv;
+
+	ret = gnutls_ocsp_status_request_get(session, &resp);
+	if (ret < 0) {
+		if (priv == NULL)
+			return;
+		fail("no response was received\n");
+	}
+
+	if (priv == NULL) {
+		fail("not expected response, but received one\n");
+	}
+
+	if (resp.size != exp_resp->size || memcmp(resp.data, exp_resp->data, resp.size) != 0) {
+		fail("did not receive the expected response\n");
+	}
+
+	/* Check intermediate response */
+	if (gnutls_protocol_get_version(session) == GNUTLS_TLS1_3) {
+		ret = gnutls_ocsp_status_request_get2(session, 1, &resp);
+		if (ret < 0) {
+			fail("no intermediate response was received\n");
+		}
+
+		if (resp.size != ocsp_subca3_unknown.size || memcmp(resp.data, ocsp_subca3_unknown.data, resp.size) != 0) {
+			fail("did not receive the expected intermediate response\n");
+		}
+	}
+}
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+void doit(void)
+{
+	int ret;
+	gnutls_certificate_credentials_t xcred;
+	gnutls_certificate_credentials_t clicred;
+	const char *certfile1;
+	const char *certfile2;
+	const char *ocspfile1;
+	const char *ocspfile2;
+	const char *ocspfile3;
+	char certname1[TMPNAME_SIZE], ocspname1[TMPNAME_SIZE];
+	char certname2[TMPNAME_SIZE], ocspname2[TMPNAME_SIZE];
+	char ocspname3[TMPNAME_SIZE];
+	FILE *fp;
+	unsigned index1, index2; /* indexes of certs */
+
+	global_init();
+	gnutls_global_set_time_function(mytime);
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
+	assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
+
+	gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2);
+
+	certfile1 = get_tmpname(certname1);
+
+	/* set cert with localhost name */
+	fp = fopen(certfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0);
+	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index1 = ret;
+
+	/* set cert with localhost6 name */
+	certfile2 = get_tmpname(certname2);
+
+	fp = fopen(certfile2, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0);
+	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(xcred, certfile2, certfile2,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index2 = ret;
+
+
+	/* set OCSP response1 */
+	ocspfile1 = get_tmpname(ocspname1);
+	fp = fopen(ocspfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(ocsp_ca3_localhost_unknown.data, 1, ocsp_ca3_localhost_unknown.size, fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* set OCSP response2 */
+	ocspfile2 = get_tmpname(ocspname2);
+	fp = fopen(ocspfile2, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(ocsp_ca3_localhost6_unknown.data, 1, ocsp_ca3_localhost6_unknown.size, fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile2, index2);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* try to set a duplicate OCSP response */
+	ocspfile3 = get_tmpname(ocspname3);
+	fp = fopen(ocspfile3, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(ocsp_ca3_localhost_unknown_sha1.data, 1, ocsp_ca3_localhost_unknown_sha1.size, fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index1);
+	if (ret != 0)
+		fail("setting duplicate didn't succeed as expected: %s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index2);
+	if (ret != GNUTLS_E_OCSP_MISMATCH_WITH_CERTS)
+		fail("setting invalid didn't fail as expected: %s\n", gnutls_strerror(ret));
+
+	/* re-set the previous duplicate set for index1 to the expected*/
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile1, index1);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* set an intermediate CA OCSP response */
+	fp = fopen(ocspfile3, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(ocsp_subca3_unknown.data, 1, ocsp_subca3_unknown.size, fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index1);
+	if (ret < 0)
+		fail("setting subCA failed: %s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_ocsp_status_request_file(xcred, ocspfile3, index2);
+	if (ret < 0)
+		fail("setting subCA failed: %s\n", gnutls_strerror(ret));
+
+
+	ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
+	}
+
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2", "localhost6", &ocsp_ca3_localhost6_unknown, check_response, NULL);
+
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &ocsp_ca3_localhost_unknown, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &ocsp_ca3_localhost6_unknown, check_response, NULL);
+
+	gnutls_certificate_free_credentials(xcred);
+	gnutls_certificate_free_credentials(clicred);
+	gnutls_global_deinit();
+	remove(ocspfile1);
+	remove(ocspfile2);
+	remove(ocspfile3);
+	remove(certfile1);
+	remove(certfile2);
+}
+
+#else
+void doit(void)
+{
+	exit(77);
+}
+#endif
diff --git a/tests/tls13/multi-ocsp.c b/tests/tls13/multi-ocsp.c
new file mode 100644
index 0000000000..77a1af7465
--- /dev/null
+++ b/tests/tls13/multi-ocsp.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2016-2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <assert.h>
+
+#ifdef ENABLE_OCSP
+
+#include "ocsp-common.h"
+#include "cert-common.h"
+#include "utils.h"
+
+/* Tests whether we can send and receive multiple OCSP responses
+ * one for each certificate in a chain under TLS 1.3.
+ */
+
+static time_t mytime(time_t * t)
+{
+	time_t then = 1469186559;
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+static const gnutls_datum_t ocsp_resp_localhost[] = {
+    { (void*)_ocsp_ca3_localhost_unknown, sizeof(_ocsp_ca3_localhost_unknown) },
+    { NULL, 0}};
+
+static const gnutls_datum_t ocsp_resp_localhost6[] = {
+    { (void*)_ocsp_ca3_localhost6_unknown, sizeof(_ocsp_ca3_localhost6_unknown) },
+    { (void*)_ocsp_subca3_unknown, sizeof(_ocsp_subca3_unknown) }};
+
+typedef struct ctx_st {
+	const char *name;
+	const gnutls_datum_t *ocsp;
+	unsigned nocsp;
+} ctx_st;
+
+static ctx_st test_localhost = {"single response", ocsp_resp_localhost, 1};
+static ctx_st test_localhost6 = {"two responses", ocsp_resp_localhost6, 2};
+
+#define myfail(fmt, ...) \
+	fail("%s: "fmt, test->name, ##__VA_ARGS__)
+
+static void check_response(gnutls_session_t session, void *priv)
+{
+	int ret;
+	gnutls_datum_t resp;
+	ctx_st *test = priv;
+	unsigned i;
+
+	assert(test != NULL);
+
+	for (i=0;;i++) {
+		ret = gnutls_ocsp_status_request_get2(session, i, &resp);
+		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+			break;
+		if (ret < 0) {
+			if (test->ocsp[i].size == 0)
+				return;
+			myfail("no response was received\n");
+		}
+
+		if (test->ocsp[i].size == 0) {
+			myfail("not expected response, but received one\n");
+		}
+
+		if (resp.size != test->ocsp[i].size) {
+			myfail("did not receive the expected response size for %d\n", i);
+		}
+
+		if (memcmp(resp.data, test->ocsp[i].data, resp.size) != 0) {
+			myfail("did not receive the expected response for %d\n", i);
+		}
+	}
+
+	if (i != test->nocsp) {
+		myfail("The number of OCSP responses received (%d) does not match the expected (%d)\n", i, test->nocsp);
+	}
+	
+}
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+void doit(void)
+{
+	int ret;
+	gnutls_certificate_credentials_t xcred;
+	gnutls_certificate_credentials_t clicred;
+	const char *certfile1;
+	const char *certfile2;
+	char certname1[TMPNAME_SIZE];
+	char certname2[TMPNAME_SIZE];
+	FILE *fp;
+	unsigned index1, index2; /* indexes of certs */
+
+	global_init();
+	gnutls_global_set_time_function(mytime);
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
+	assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
+
+	gnutls_certificate_set_flags(xcred, GNUTLS_CERTIFICATE_API_V2);
+
+	certfile1 = get_tmpname(certname1);
+
+	/* set cert with localhost name */
+	fp = fopen(certfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0);
+	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index1 = ret;
+
+	certfile2 = get_tmpname(certname2);
+
+	fp = fopen(certfile2, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(server_localhost6_ca3_cert_chain_pem, 1, strlen(server_localhost6_ca3_cert_chain_pem), fp)>0);
+	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(xcred, certfile2, certfile2,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index2 = ret;
+
+
+	/* set OCSP response1 */
+	ret = gnutls_certificate_set_ocsp_status_request_mem(xcred, &test_localhost.ocsp[0], index1, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* set OCSP response2 */
+	ret = gnutls_certificate_set_ocsp_status_request_mem(xcred, &test_localhost6.ocsp[0], index2, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	ret = gnutls_certificate_set_ocsp_status_request_mem(xcred, &test_localhost6.ocsp[1], index2, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* make sure that our invalid OCSP responses are not considered in verification
+	 */
+	gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
+	if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
+		fail("error in gnutls_certificate_set_verify_flags\n");
+
+	ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
+	}
+
+	test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost", &test_localhost, check_response, NULL);
+	test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", "localhost6", &test_localhost6, check_response, NULL);
+
+	gnutls_certificate_free_credentials(xcred);
+	gnutls_certificate_free_credentials(clicred);
+	gnutls_global_deinit();
+	remove(certfile1);
+	remove(certfile2);
+}
+
+#else
+void doit(void)
+{
+	exit(77);
+}
+#endif
diff --git a/tests/tls13/ocsp-client.c b/tests/tls13/ocsp-client.c
new file mode 100644
index 0000000000..57ad803292
--- /dev/null
+++ b/tests/tls13/ocsp-client.c
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2016-2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <assert.h>
+
+#ifdef ENABLE_OCSP
+
+#include "cert-common.h"
+#include "utils.h"
+
+/* Tests whether we can send and receive multiple OCSP responses
+ * one for each certificate in a chain under TLS 1.3.
+ */
+
+static time_t mytime(time_t * t)
+{
+	time_t then = 1469186559;
+	if (t)
+		*t = then;
+
+	return then;
+}
+
+#define RESP1 "\x30\x82\x06\x8C\x0A\x01\x00\xA0\x82\x06\x85\x30\x82\x06\x81\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x06\x72\x30\x82\x06\x6E\x30\x82\x01\x07\xA1\x69\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\x30\x64\x30\x62\x30\x3A\x30\x09\x06\x05\x2B\x0E\x03\x02\x1A\x05\x00\x04\x14\x13\x9D\xA0\x9E\xF4\x32\xAB\x8F\xE2\x89\x56\x67\xFA\xD0\xD4\xE3\x35\x86\x71\xB9\x04\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\x02\x01\x1D\x80\x00\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x34\x32\x38\x5A\xA0\x11\x18\x0F\x32\x30\x31\x31\x30\x39\x32\x37\x30\x39\x35\x39\x32\x38\x5A\xA1\x23\x30\x21\x30\x1F\x06\x09\x2B\x06\x01\x05\x05\x07\x30\x01\x02\x04\x12\x04\x10\x16\x89\x7D\x91\x3A\xB5\x25\xA4\x45\xFE\xC9\xFD\xC2\xE5\x08\xA4\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x4E\xAD\x6B\x2B\xF7\xF2\xBF\xA9\x23\x1E\x3A\x0B\x06\xDB\x55\x53\x2B\x64\x54\x11\x32\xBF\x60\xF7\x4F\xE0\x8E\x9B\xA0\xA2\x4C\x79\xC3\x2A\xE0\x43\xF7\x40\x1A\xDC\xB9\xB4\x25\xEF\x48\x01\x97\x8C\xF5\x1E\xDB\xD1\x30\x37\x73\x69\xD6\xA7\x7A\x2D\x8E\xDE\x5C\xAA\xEA\x39\xB9\x52\xAA\x25\x1E\x74\x7D\xF9\x78\x95\x8A\x92\x1F\x98\x21\xF4\x60\x7F\xD3\x28\xEE\x47\x9C\xBF\xE2\x5D\xF6\x3F\x68\x0A\xD6\xFF\x08\xC1\xDC\x95\x1E\x29\xD7\x3E\x85\xD5\x65\xA4\x4B\xC0\xAF\xC3\x78\xAB\x06\x98\x88\x19\x8A\x64\xA6\x83\x91\x87\x13\xDB\x17\xCC\x46\xBD\xAB\x4E\xC7\x16\xD1\xF8\x35\xFD\x27\xC8\xF6\x6B\xEB\x37\xB8\x08\x6F\xE2\x6F\xB4\x7E\xD5\x68\xDB\x7F\x5D\x5E\x36\x38\xF2\x77\x59\x13\xE7\x3E\x4D\x67\x5F\xDB\xA2\xF5\x5D\x7C\xBF\xBD\xB5\x37\x33\x51\x36\x63\xF8\x21\x1E\xFC\x73\x8F\x32\x69\xBB\x97\xA7\xBD\xF1\xB6\xE0\x40\x09\x68\xEA\xD5\x93\xB8\xBB\x39\x8D\xA8\x16\x1B\xBF\x04\x7A\xBC\x18\x43\x01\xE9\x3C\x19\x5C\x4D\x4B\x98\xD8\x23\x37\x39\xA4\xC4\xDD\xED\x9C\xEC\x37\xAB\x66\x44\x9B\xE7\x5B\x5D\x32\xA2\xDB\xA6\x0B\x3B\x8C\xE1\xF5\xDB\xCB\x7D\x58\xA0\x82\x04\x4B\x30\x82\x04\x47\x30\x82\x04\x43\x30\x82\x03\x2B\xA0\x03\x02\x01\x02\x02\x01\x1E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x30\x1E\x17\x0D\x30\x39\x31\x31\x32\x34\x31\x32\x35\x31\x35\x33\x5A\x17\x0D\x31\x34\x31\x31\x32\x33\x31\x32\x35\x31\x35\x33\x5A\x30\x67\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1F\x30\x1D\x06\x03\x55\x04\x0B\x13\x16\x4F\x43\x53\x50\x20\x53\x69\x67\x6E\x69\x6E\x67\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x31\x1C\x30\x1A\x06\x03\x55\x04\x03\x13\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xBC\x05\x3E\x4B\xBE\xC6\xB1\x33\x48\x0E\xC3\xD4\x0C\xEF\x83\x0B\xBD\xBC\x57\x5F\x14\xEF\xF5\x6D\x0B\xFF\xFA\x01\x9C\xFA\x21\x6D\x5C\xAE\x79\x29\x74\xFE\xBD\xAB\x70\x87\x98\x6B\x48\x35\x79\xE3\xE0\xC1\x14\x41\x1F\x0A\xF7\xE7\xA3\xA6\xDA\x6B\xFF\xCD\x74\xE9\x95\x00\x38\xAA\xD6\x3A\x60\xC6\x64\xA1\xE6\x02\x39\x58\x4E\xFD\xF2\x78\x08\x63\xB6\xD7\x7A\x96\x79\x62\x18\x39\xEE\x27\x8D\x3B\xA2\x3D\x48\x88\xDB\x43\xD6\x6A\x77\x20\x6A\x27\x39\x50\xE0\x02\x50\x19\xF2\x7A\xCF\x78\x23\x99\x01\xD4\xE5\xB1\xD1\x31\xE6\x6B\x84\xAF\xD0\x77\x41\x46\x85\xB0\x3B\xE6\x6A\x00\x0F\x3B\x7E\x95\x7F\x59\xA8\x22\xE8\x49\x49\x05\xC8\xCB\x6C\xEE\x47\xA7\x2D\xC9\x74\x5B\xEB\x8C\xD5\x99\xC2\xE2\x70\xDB\xEA\x87\x43\x84\x0E\x4F\x83\x1C\xA6\xEB\x1F\x22\x38\x17\x69\x9B\x72\x12\x95\x48\x71\xB2\x7B\x92\x73\x52\xAB\xE3\x1A\xA5\xD3\xF4\x44\x14\xBA\xC3\x35\xDA\x91\x6C\x7D\xB4\xC2\x00\x07\xD8\x0A\x51\xF1\x0D\x4C\xD9\x7A\xD1\x99\xE6\xA8\x8D\x0A\x80\xA8\x91\xDD\x8A\xA2\x6B\xF6\xDB\xB0\x3E\xC9\x71\xA9\xE0\x39\xC3\xA3\x58\x0D\x87\xD0\xB2\xA7\x9C\xB7\x69\x02\x03\x01\x00\x01\xA3\x82\x01\x1A\x30\x82\x01\x16\x30\x09\x06\x03\x55\x1D\x13\x04\x02\x30\x00\x30\x0B\x06\x03\x55\x1D\x0F\x04\x04\x03\x02\x03\xA8\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x34\x91\x6E\x91\x32\xBF\x35\x25\x43\xCC\x28\x74\xEF\x82\xC2\x57\x92\x79\x13\x73\x30\x6D\x06\x03\x55\x1D\x23\x04\x66\x30\x64\x80\x14\x5D\xA7\xDD\x70\x06\x51\x32\x7E\xE7\xB6\x6D\xB3\xB5\xE5\xE0\x60\xEA\x2E\x4D\xEF\xA1\x49\xA4\x47\x30\x45\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x48\x31\x19\x30\x17\x06\x03\x55\x04\x0A\x13\x10\x4C\x69\x6E\x75\x78\x20\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x73\x74\x72\x6F\x6E\x67\x53\x77\x61\x6E\x20\x52\x6F\x6F\x74\x20\x43\x41\x82\x01\x00\x30\x1E\x06\x03\x55\x1D\x11\x04\x17\x30\x15\x82\x13\x6F\x63\x73\x70\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x30\x13\x06\x03\x55\x1D\x25\x04\x0C\x30\x0A\x06\x08\x2B\x06\x01\x05\x05\x07\x03\x09\x30\x39\x06\x03\x55\x1D\x1F\x04\x32\x30\x30\x30\x2E\xA0\x2C\xA0\x2A\x86\x28\x68\x74\x74\x70\x3A\x2F\x2F\x63\x72\x6C\x2E\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x6F\x72\x67\x2F\x73\x74\x72\x6F\x6E\x67\x73\x77\x61\x6E\x2E\x63\x72\x6C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x6D\x78\xD7\x66\x90\xA6\xEB\xDD\xB5\x09\x48\xA4\xDA\x27\xFA\xAC\xB1\xBC\x8F\x8C\xBE\xCC\x8C\x09\xA2\x40\x0D\x6C\x4A\xAE\x72\x22\x1E\xC8\xAF\x6D\xF1\x12\xAF\xD7\x40\x51\x79\xD4\xDD\xB2\x0C\xDB\x97\x84\xB6\x24\xD5\xF5\xA8\xBB\xC0\x4B\xF9\x7F\x71\xF7\xB0\x65\x42\x4A\x7D\xFE\x76\x7E\x05\xD2\x46\xB8\x7D\xB3\x39\x4C\x5C\xB1\xFA\xB9\xEE\x3B\x70\x33\x39\x57\x1A\xB9\x95\x51\x33\x00\x25\x1B\x4C\xAA\xB4\xA7\x55\xAF\x63\x6D\x6F\x88\x17\x6A\x7F\xB0\x97\xDE\x49\x14\x6A\x27\x6A\xB0\x42\x80\xD6\xA6\x9B\xEF\x04\x5E\x11\x7D\xD5\x8E\x54\x20\xA2\x76\xD4\x66\x58\xAC\x9C\x12\xD3\xF5\xCA\x54\x98\xCA\x21\xEC\xC1\x55\xA1\x2F\x68\x0B\x5D\x04\x50\xD2\x5E\x70\x25\xD8\x13\xD9\x44\x51\x0E\x8A\x42\x08\x18\x84\xE6\x61\xCE\x5A\x7D\x7B\x81\x35\x90\xC3\xD4\x9D\x19\xB6\x37\xEE\x8F\x63\x5C\xDA\xD8\xF0\x64\x60\x39\xEB\x9B\x1C\x54\x66\x75\x76\xB5\x0A\x58\xB9\x3F\x91\xE1\x21\x9C\xA0\x50\x15\x97\xB6\x7E\x41\xBC\xD0\xC4\x21\x4C\xF5\xD7\xF0\x13\xF8\x77\xE9\x74\xC4\x8A\x0E\x20\x17\x32\xAE\x38\xC2\xA5\xA8\x62\x85\x17\xB1\xA2\xD3\x22\x9F\x95\xB7\xA3\x4C"
+
+static gnutls_datum_t ocsp_resp1 =
+    { (unsigned char *) RESP1, sizeof(RESP1) - 1 };
+
+#define RESP3 "\x30\x82\x01\xd3\x0a\x01\x00\xa0\x82\x01\xcc\x30\x82\x01\xc8\x06\x09\x2b\x06\x01\x05\x05\x07\x30\x01\x01\x04\x82\x01\xb9\x30\x82\x01\xb5\x30\x81\x9e\xa2\x16\x04\x14\x50\xea\x73\x89\xdb\x29\xfb\x10\x8f\x9e\xe5\x01\x20\xd4\xde\x79\x99\x48\x83\xf7\x18\x0f\x32\x30\x31\x34\x30\x39\x30\x34\x30\x35\x34\x39\x30\x30\x5a\x30\x73\x30\x71\x30\x49\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14\xed\x48\xad\xdd\xcb\x7b\x00\xe2\x0e\x84\x2a\xa9\xb4\x09\xf1\xac\x30\x34\xcf\x96\x04\x14\x50\xea\x73\x89\xdb\x29\xfb\x10\x8f\x9e\xe5\x01\x20\xd4\xde\x79\x99\x48\x83\xf7\x02\x10\x02\x01\x48\x91\x5d\xfd\x5e\xb6\xe0\x02\x90\xa9\x67\xb0\xe4\x64\x80\x00\x18\x0f\x32\x30\x31\x34\x30\x39\x30\x34\x30\x35\x34\x39\x30\x30\x5a\xa0\x11\x18\x0f\x32\x30\x31\x34\x30\x39\x31\x31\x30\x36\x30\x34\x30\x30\x5a\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x05\x05\x00\x03\x82\x01\x01\x00\x6e\x5e\x5e\x81\xff\x3f\x4d\xc7\x53\xc7\x1b\xf3\xd3\x1d\xdc\x9a\xc7\xce\x77\x2c\x67\x56\x13\x98\x91\x02\x01\x76\xdc\x48\xb2\x1f\x9b\x17\xea\xbf\x2c\x0a\xf5\x1d\x98\x90\x3c\x5f\x55\xc2\xff\x4b\x9a\xbc\xa6\x83\x9e\xab\x2b\xeb\x9d\x01\xea\x3b\x5f\xbe\x03\x29\x70\x63\x2a\xa4\x1d\xa8\xab\x69\xb2\x64\xba\x5d\x73\x91\x5c\x92\xf3\x69\xd4\xc9\x39\x9c\x7c\x7d\xa2\x47\x92\xc2\x56\xfe\xa1\x0d\x4a\x69\xff\xda\x48\xc5\x5e\xd8\xab\x39\x88\x6a\x06\xfa\x07\x57\xd6\x48\xb5\xce\xc9\x5f\xa5\x96\xfe\x37\x18\x5e\x7f\x35\x51\xc1\x9e\x79\x5a\x26\xba\x67\x67\x38\x2a\x80\x75\x42\x99\x68\x3e\xec\x2f\x7e\x2d\xa1\xa6\xbe\x9f\x01\x51\x22\x88\x3a\xc9\x9c\xed\x51\xef\x21\x66\x7e\xa9\xd0\x3f\x13\x9c\xbb\xd2\x94\x14\x6f\x4b\xd9\xc4\xf5\x2c\xf5\x7d\x07\x68\xf3\x51\xac\xda\xc2\x09\x66\xa9\x3d\xed\xad\x02\x4d\x9c\x11\x29\x1a\x54\xfb\x1e\x7e\x36\xf4\xbb\x0d\x08\x8c\x6a\x42\x08\x10\x29\x08\x7c\x56\x0b\x18\x47\xff\x87\x11\xfd\xb2\xfb\xc9\x22\x7f\xe3\x1f\x7b\xf9\x98\xaa\x3a\x32\xb6\x2f\x02\xba\xb6\xc1\xdc\xc3\x5d\xb5\x4b\xae\x5d\x29\x6a\x31\xde\xcd"
+static gnutls_datum_t ocsp_resp2 =
+    { (unsigned char *) RESP3, sizeof(RESP3) - 1 };
+
+
+static void check_response(gnutls_session_t session, void *priv)
+{
+	int ret;
+	gnutls_datum_t resp;
+	gnutls_datum_t *ocsp = priv;
+	unsigned i;
+
+	assert(ocsp != NULL);
+
+	for (i=0;;i++) {
+		ret = gnutls_ocsp_status_request_get2(session, i, &resp);
+		if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+			break;
+		if (ret < 0) {
+			if (ocsp->size == 0)
+				return;
+			fail("no response was received: %s\n", gnutls_strerror(ret));
+		}
+
+		if (ocsp->size == 0) {
+			fail("not expected response, but received one\n");
+		}
+
+		if (resp.size != ocsp->size) {
+			fail("did not receive the expected response size for %d\n", i);
+		}
+
+		if (memcmp(resp.data, ocsp->data, resp.size) != 0) {
+			fail("did not receive the expected response for %d\n", i);
+		}
+	}
+
+	if (i != 1) {
+		fail("The number of OCSP responses received (%d) does not match the expected (%d)\n", i, 1);
+	}
+}
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+void doit(void)
+{
+	int ret;
+	gnutls_certificate_credentials_t xcred;
+	gnutls_certificate_credentials_t clicred;
+	const char *certfile1;
+	const char *certfile2;
+	const char *certfile3;
+	char certname1[TMPNAME_SIZE];
+	char certname2[TMPNAME_SIZE];
+	char certname3[TMPNAME_SIZE];
+	FILE *fp;
+	unsigned index1, index2; /* indexes of certs */
+
+	global_init();
+	gnutls_global_set_time_function(mytime);
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	assert(gnutls_certificate_allocate_credentials(&xcred) >= 0);
+	assert(gnutls_certificate_allocate_credentials(&clicred) >= 0);
+
+	gnutls_certificate_set_flags(clicred, GNUTLS_CERTIFICATE_API_V2);
+
+	certfile1 = get_tmpname(certname1);
+
+	/* set cert with localhost name */
+	fp = fopen(certfile1, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(server_localhost_ca3_cert_chain_pem, 1, strlen(server_localhost_ca3_cert_chain_pem), fp)>0);
+	assert(fwrite(server_ca3_key_pem, 1, strlen((char*)server_ca3_key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(xcred, certfile1, certfile1,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+
+	/* load client certificates */
+	certfile2 = get_tmpname(certname2);
+
+	fp = fopen(certfile2, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(cli_ca3_cert_pem, 1, strlen(cli_ca3_cert_pem), fp)>0);
+	assert(fwrite(cli_ca3_key_pem, 1, strlen(cli_ca3_key_pem), fp)>0);
+	fclose(fp);
+	ret = gnutls_certificate_set_x509_key_file2(clicred, certfile2, certfile2,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index1 = ret;
+
+
+	certfile3 = get_tmpname(certname3);
+	fp = fopen(certfile3, "wb");
+	if (fp == NULL)
+		fail("error in fopen\n");
+	assert(fwrite(cert_pem, 1, strlen((char*)cert_pem), fp)>0);
+	assert(fwrite(key_pem, 1, strlen((char*)key_pem), fp)>0);
+	fclose(fp);
+
+	ret = gnutls_certificate_set_x509_key_file2(clicred, certfile3, certfile3,
+						    GNUTLS_X509_FMT_PEM, NULL, 0);
+	if (ret < 0)
+		fail("set_x509_key_file failed: %s\n", gnutls_strerror(ret));
+	index2 = ret;
+
+
+	gnutls_certificate_set_flags(clicred, GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+	/* set OCSP response1 */
+	ret = gnutls_certificate_set_ocsp_status_request_mem(clicred, &ocsp_resp2, index2, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* set OCSP response2 */
+	ret = gnutls_certificate_set_ocsp_status_request_mem(clicred, &ocsp_resp1, index1, GNUTLS_X509_FMT_DER);
+	if (ret < 0)
+		fail("ocsp file set failed: %s\n", gnutls_strerror(ret));
+
+	/* make sure that our invalid OCSP responses are not considered in verification
+	 */
+	gnutls_certificate_set_verify_flags(clicred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
+	if (gnutls_certificate_get_verify_flags(clicred) != GNUTLS_VERIFY_DISABLE_CRL_CHECKS)
+		fail("error in gnutls_certificate_set_verify_flags\n");
+
+	ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
+	}
+
+	ret = gnutls_certificate_set_x509_trust_mem(xcred, &subca3_cert, GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("error in setting trust cert: %s\n", gnutls_strerror(ret));
+	}
+
+	_test_cli_serv(xcred, clicred, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
+		       "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3",
+		       "localhost",
+		       &ocsp_resp1, NULL, check_response,
+		       0, 1, 0, 0);
+
+	gnutls_certificate_free_credentials(xcred);
+	gnutls_certificate_free_credentials(clicred);
+	gnutls_global_deinit();
+	remove(certfile1);
+	remove(certfile2);
+	remove(certfile3);
+}
+
+#else
+void doit(void)
+{
+	exit(77);
+}
+#endif
diff --git a/tests/utils-adv.c b/tests/utils-adv.c
index 1986e50bd1..a084136646 100644
--- a/tests/utils-adv.c
+++ b/tests/utils-adv.c
@@ -42,7 +42,7 @@ int _gnutls_server_name_set_raw(gnutls_session_t session,
 const char *side = NULL;
 
 /* if @host is NULL certificate check is skipped */
-static int
+int
 _test_cli_serv(gnutls_certificate_credentials_t server_cred,
 	      gnutls_certificate_credentials_t client_cred,
 	      const char *serv_prio, const char *cli_prio,
diff --git a/tests/utils.h b/tests/utils.h
index d59c8e7bfe..ebd4d2b7ad 100644
--- a/tests/utils.h
+++ b/tests/utils.h
@@ -94,6 +94,17 @@ void test_cli_serv(gnutls_certificate_credentials_t server_cred,
 		   void *priv,
 		   callback_func * client_cb, callback_func * server_cb);
 
+int
+_test_cli_serv(gnutls_certificate_credentials_t server_cred,
+	      gnutls_certificate_credentials_t client_cred,
+	      const char *serv_prio, const char *cli_prio,
+	      const char *host,
+	      void *priv, callback_func *client_cb, callback_func *server_cb,
+	      unsigned expect_verification_failure,
+	      unsigned require_cert,
+	      int serv_err,
+	      int cli_err);
+
 void print_dh_params_info(gnutls_session_t);
 
 void
diff --git a/tests/x509-cert-callback-ocsp.c b/tests/x509-cert-callback-ocsp.c
new file mode 100644
index 0000000000..b6ea04d381
--- /dev/null
+++ b/tests/x509-cert-callback-ocsp.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) 2015-2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/abstract.h>
+#include <gnutls/x509.h>
+#include "utils.h"
+#include "eagain-common.h"
+#include "cert-common.h"
+
+/* This tests gnutls_certificate_set_x509_key() */
+
+const char *side;
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+static gnutls_privkey_t server_pkey = NULL;
+static gnutls_pcert_st *server_pcert = NULL;
+static gnutls_ocsp_data_st ocspdata[2];
+
+#define OCSP_SIZE 16
+#define OCSP_DATA "\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0\xff\xff\xf0\xf0"
+
+static int
+server_cert_callback(gnutls_session_t session,
+		     const struct gnutls_cert_retr_st *info,
+		     gnutls_pcert_st **pcert,
+		     unsigned int *pcert_length,
+		     gnutls_ocsp_data_st **ocsp,
+		     unsigned int *ocsp_length,
+		     gnutls_privkey_t *pkey,
+		     unsigned int *flags)
+{
+	int ret;
+	gnutls_pcert_st *p;
+	gnutls_privkey_t lkey;
+	gnutls_x509_crt_t *certs;
+	unsigned certs_size, i;
+
+	if (server_pkey == NULL) {
+		p = gnutls_malloc(2 * sizeof(*p));
+		if (p == NULL)
+			return -1;
+
+		ocspdata[0].response.data = (void*)OCSP_DATA;
+		ocspdata[0].response.size = OCSP_SIZE;
+		ocspdata[0].exptime = 0;
+
+		ocspdata[1].response.data = (void*)OCSP_DATA;
+		ocspdata[1].response.size = OCSP_SIZE;
+		ocspdata[1].exptime = 0;
+
+		ret = gnutls_x509_crt_list_import2(&certs, &certs_size,
+						   &server_ca3_localhost_cert_chain,
+						   GNUTLS_X509_FMT_PEM, 0);
+		if (ret < 0)
+			return -1;
+		ret = gnutls_pcert_import_x509_list(p, certs, &certs_size, 0);
+		if (ret < 0)
+			return -1;
+		for (i = 0; i < certs_size; i++)
+			gnutls_x509_crt_deinit(certs[i]);
+		gnutls_free(certs);
+
+		ret = gnutls_privkey_init(&lkey);
+		if (ret < 0)
+			return -1;
+
+		ret =
+		    gnutls_privkey_import_x509_raw(lkey, &server_ca3_key,
+						   GNUTLS_X509_FMT_PEM, NULL,
+						   0);
+		if (ret < 0)
+			return -1;
+
+		server_pcert = p;
+		server_pkey = lkey;
+
+		*pcert = p;
+		*pcert_length = 2;
+		*pkey = lkey;
+		*ocsp = ocspdata;
+		*ocsp_length = 2;
+	} else {
+		*pcert = server_pcert;
+		*pcert_length = 2;
+		*pkey = server_pkey;
+		*ocsp = ocspdata;
+		*ocsp_length = 2;
+	}
+
+	return 0;
+}
+
+static void start(const char *prio)
+{
+	int exit_code = EXIT_SUCCESS;
+	int ret;
+	/* Server stuff. */
+	gnutls_certificate_credentials_t scred;
+	gnutls_session_t server;
+	gnutls_datum_t response;
+	int sret = GNUTLS_E_AGAIN;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t ccred;
+	gnutls_session_t client;
+	int cret = GNUTLS_E_AGAIN;
+
+	success("testing %s\n", prio);
+
+	/* General init. */
+	global_init();
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4);
+
+	/* Init server */
+	gnutls_certificate_allocate_credentials(&scred);
+
+	gnutls_certificate_set_retrieve_function3(scred,
+						  server_cert_callback);
+
+	gnutls_init(&server, GNUTLS_SERVER);
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
+	assert(gnutls_priority_set_direct(server,
+				   prio, NULL) >= 0);
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_ptr(server, server);
+	gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
+
+	/* Init client */
+	ret = gnutls_certificate_allocate_credentials(&ccred);
+	if (ret < 0)
+		exit(1);
+
+	gnutls_certificate_set_verify_flags(ccred, GNUTLS_VERIFY_DISABLE_CRL_CHECKS);
+
+	ret =
+	    gnutls_certificate_set_x509_trust_mem(ccred, &ca3_cert,
+						  GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+				     ccred);
+	if (ret < 0)
+		exit(1);
+
+	assert(gnutls_priority_set_direct(client, prio, NULL)>=0);
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_ptr(client, client);
+
+	HANDSHAKE(client, server);
+
+	ret = gnutls_ocsp_status_request_get(client, &response);
+	if (ret != 0)
+		fail("no response was found: %s\n", gnutls_strerror(ret));
+
+	assert(response.size == OCSP_SIZE);
+	assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0);
+
+	if (gnutls_protocol_get_version(client) == GNUTLS_TLS1_3) {
+		ret = gnutls_ocsp_status_request_get2(client, 1, &response);
+		if (ret != 0)
+			fail("no response was found for 1: %s\n", gnutls_strerror(ret));
+
+		assert(response.size == OCSP_SIZE);
+		assert(memcmp(response.data, OCSP_DATA, OCSP_SIZE) == 0);
+	}
+
+	ret = gnutls_ocsp_status_request_get2(client, 2, &response);
+	if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+		fail("found response in index 1: %s\n", gnutls_strerror(ret));
+	}
+
+	gnutls_bye(client, GNUTLS_SHUT_WR);
+	gnutls_bye(server, GNUTLS_SHUT_WR);
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(scred);
+	gnutls_certificate_free_credentials(ccred);
+
+	gnutls_global_deinit();
+
+	if (debug > 0) {
+		if (exit_code == 0)
+			puts("Self-test successful");
+		else
+			puts("Self-test failed");
+	}
+
+	reset_buffers();
+}
+
+void doit(void)
+{
+	start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3");
+	start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2");
+	start("NORMAL:-VERS-TLS-ALL:+VERS-TLS1.1");
+}