Add workaround GnuTLS bug with OCSP status extension and non-blocking socket

GnuTLS version 3.1.3 - 3.1.18 and 3.2.0 - 3.2.8, inclusive, has this
bug. For these versions, we disable OCSP status extension.

src/LibgnutlsTLSSession.cc

@@ -60,14 +60,44 @@ GnuTLSSession::~GnuTLSSession()
   }
 }
 
+// GnuTLS version 3.1.3 - 3.1.18 and 3.2.0 - 3.2.8, inclusive, have a
+// bug which makes SSL/TLS handshake fail if OCSP status extension is
+// enabled and non-blocking socket is used.  To workaround this bug,
+// for these versions of GnuTLS, we disable OCSP status extension. We
+// expect that upcoming (at the time of this writing) 3.1.19 and 3.2.9
+// will fix this bug.  See
+// http://lists.gnutls.org/pipermail/gnutls-devel/2014-January/006679.html
+// for dtails.
+#if (GNUTLS_VERSION_NUMBER >= 0x030103 && GNUTLS_VERSION_NUMBER <= 0x030112) \
+  || (GNUTLS_VERSION_NUMBER >= 0x030200 && GNUTLS_VERSION_NUMBER <= 0x030208)
+# define A2_DISABLE_OCSP 1
+#endif
+
 int GnuTLSSession::init(sock_t sockfd)
 {
-  rv_ = gnutls_init(&sslSession_,
+  unsigned int flags = tlsContext_->getSide() == TLS_CLIENT ?
-                    tlsContext_->getSide() == TLS_CLIENT ?
+    GNUTLS_CLIENT : GNUTLS_SERVER;
-                    GNUTLS_CLIENT : GNUTLS_SERVER);
+#ifdef A2_DISABLE_OCSP
+  if(tlsContext_->getSide() == TLS_CLIENT) {
+    flags |= GNUTLS_NO_EXTENSIONS;
+  }
+#endif // A2_DISABLE_OCSP
+
+  rv_ = gnutls_init(&sslSession_, flags);
   if(rv_ != GNUTLS_E_SUCCESS) {
     return TLS_ERR_ERROR;
   }
+#ifdef A2_DISABLE_OCSP
+  if(tlsContext_->getSide() == TLS_CLIENT) {
+    // Enable session ticket extension manually because of
+    // GNUTLS_NO_EXTENSIONS.
+    rv_ = gnutls_session_ticket_enable_client(sslSession_);
+    if(rv_ != GNUTLS_E_SUCCESS) {
+      return TLS_ERR_ERROR;
+    }
+  }
+#endif // A2_DISABLE_OCSP
+
   // It seems err is not error message, but the argument string
   // which causes syntax error.
   const char* err;