[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: deprecating MD5 in signature verification for gnutls-{cli, serv}
From: |
Simon Josefsson |
Subject: |
Re: deprecating MD5 in signature verification for gnutls-{cli, serv} |
Date: |
Tue, 06 Jan 2009 23:17:33 +0100 |
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) |
Daniel Kahn Gillmor <address@hidden> writes:
> On 01/05/2009 01:48 PM, Tomas Mraz wrote:
>> If the only MD5 used in signatures is in the _trusted_ CA cert (and not
>> in the leaf and intermediate certificates) it is OK. But it is not the
>> case of the support.mayfirst.org site. But I don't see how the removal
>> of the last selfsigned certificate from the chain could break the
>> algorithm. There must be some different bug in play.
>
> I agree with this assessment. It would be really useful in debugging if
> certtool was able to use the same internal algorithm that the other
> tools use.
Indeed, and I've now made that happen. Look at the final line at:
address@hidden:~/src/gnutls/src master$ (echo | gnutls-cli --print-cert
--x509cafile /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem
support.mayfirst.org; cat
/etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem) | ./certtool -e
Certificate[0]: C=US,O=support.mayfirst.org,OU=GT69079880,OU=See
www.rapidssl.com/resources/cps (c)07,OU=Domain Control Validated -
RapidSSL(R),CN=support.mayfirst.org
Issued by: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global
eBusiness CA-1
Verifying against certificate[1].
Verification output: Not verified, Insecure algorithm.
Certificate[1]: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness
CA-1
Issued by: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global
eBusiness CA-1
Verification output: Verified.
Chain verification output: Not verified, Insecure algorithm.
address@hidden:~/src/gnutls/src master$
The last line contains the result from validating the chain using the
library algorithm. The flags are always 0 which can vary from how
libgnutls is used by applications, though, but at least this is a step
in the right direction.
/Simon
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, (continued)
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/05
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Nikos Mavrogiannopoulos, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Nikos Mavrogiannopoulos, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Daniel Kahn Gillmor, 2009/01/06
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv}, Simon Josefsson, 2009/01/07
- Re: deprecating MD5 in signature verification for gnutls-{cli, serv},
Simon Josefsson <=