Re: deprecating MD5 in signature verification for gnutls-{cli, serv}

[Simon Josefsson]

Daniel Kahn Gillmor <address@hidden> writes:

> On 01/06/2009 04:50 PM, Simon Josefsson wrote:
>> I agree, Daniel please backport it.  Please also add NEWS items for the
>> change.
>
> OK, this is now done.  i've backported for 2.6, but not for any earlier
> branch.

Thanks.  When possible, it is a good idea to add links to the discussion
and give credit to the reporter, so I changed the NEWS entry to:

** gnutls: deprecate X.509 validation chains using MD5 and MD2 signatures.
This is a bugfix -- the previous attempt to do this from internal x509
certificate verification procedures did not return the correct value
for certificates using a weak hash.  Reported by Daniel Kahn Gillmor
<address@hidden> in
<http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332>,
debugged and patch by Tomas Mraz <address@hidden> and Daniel Kahn
Gillmor <address@hidden>.

> this is such a trivial change that it would be no problem for me to
> backport it to other branches if folks think that's the right thing to
> do.  What branches are we targetting for this level of support?

I don't have resources to make releases from anything but the latest
stable branch (v2.6.x) and the latest development branch (v2.7), but
feel free to back-port quick fixes like this to older branches too if
you think someone is looking at them (or want a canonical place to point
people to the patch).

Daily snapshot's are still being built for v2.4.x, see
http://daily.josefsson.org/gnutls-2.4/ -- however as soon as it stop
building for some reason, I'm going to remove that script since it just
takes too much of my time to keep maintaining old versions forever.
This happened for v2.0 and v2.2 only relatively recently (I think there
were some autoconf problem).

If you or others wants to offer support for older branches, e.g. to make
another release of v2.4.x, that would be fine (although I'd prefer if
you would help make v2.6/2.7 better instead :)).

/Simon