[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: deprecating MD5 in signature verification for gnutls-{cli, serv}
From: |
Daniel Kahn Gillmor |
Subject: |
Re: deprecating MD5 in signature verification for gnutls-{cli, serv} |
Date: |
Tue, 06 Jan 2009 00:57:35 -0500 |
User-agent: |
Mozilla-Thunderbird 2.0.0.17 (X11/20081018) |
On 01/06/2009 12:20 AM, Daniel Kahn Gillmor wrote:
> So i suspect that the following is the correct patch (against the git
> head), but i have not tested it yet (and i need to sleep before it gets
> any later):
>
> diff --git a/lib/x509/verify.c b/lib/x509/verify.c
> index 02964ba..c00b4bf 100644
> --- a/lib/x509/verify.c
> +++ b/lib/x509/verify.c
> @@ -320,6 +320,7 @@ _gnutls_verify_certificate2 (gnutls_x509_crt_t cert,
> {
> if (output)
> *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
> + ret = 0;
> }
> }
>
> @@ -1036,6 +1037,7 @@ _gnutls_verify_crl2 (gnutls_x509_crl_t crl,
> {
> if (output)
> *output |= GNUTLS_CERT_INSECURE_ALGORITHM | GNUTLS_CERT_INVALID;
> + ret = 0;
> }
> }
OK, i've tested this patch now against 2.6.3, and it seems to have the
documented behavior: connections certified with SHA1 signatures work
fine, but connections certified with MD5 produce output like:
[...]
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...
1 address@hidden:~$
--dkg
signature.asc
Description: OpenPGP digital signature
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Tomas Mraz, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Tomas Mraz, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv},
Daniel Kahn Gillmor <=
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Nikos Mavrogiannopoulos, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Nikos Mavrogiannopoulos, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/07
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/06