gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: deprecating MD5 in signature verification for gnutls-{cli, serv}

From: Daniel Kahn Gillmor
Subject: Re: deprecating MD5 in signature verification for gnutls-{cli, serv}
Date: Tue, 06 Jan 2009 00:57:35 -0500
User-agent: Mozilla-Thunderbird 2.0.0.17 (X11/20081018) 
On 01/06/2009 12:20 AM, Daniel Kahn Gillmor wrote:
> So i suspect that the following is the correct patch (against the git
> head), but i have not tested it yet (and i need to sleep before it gets
> any later):
> 
> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index 02964ba..c00b4bf 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -320,6 +320,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
>       {
>         if (output)
>           *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
> +       ret = 0;
>       }
>      }
> 
> @@ -1036,6 +1037,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
>        {
>       if (output)
>         *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
> +     ret = 0;
>        }
>    }

OK, i've tested this patch now against 2.6.3, and it seems to have the
documented behavior: connections certified with SHA1 signatures work
fine, but connections certified with MD5 produce output like:

 [...]
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...
1 address@hidden:~$

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]