[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

From: Simon Josefsson
Subject: Re: Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more
Date: Thu, 04 Dec 2008 09:58:14 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux)

Nikos Mavrogiannopoulos <address@hidden> writes:

> Andreas Metzler wrote:
>> On 2008-12-03 Michael Kiefer <address@hidden> wrote:
>>> Package: libgnutls26
>>> Version: 2.4.2-3
>>> Severity: important
>>> Since I updated libgnutls26 from 2.4.2-1 to 2.4.2-3 kMyMoney2 does
>>> not connect to my bank any more.  When I run gnutls-cli --insecure
>>> -p 443 -d 4711 --print-cert it says
>>> - Peer's certificate issuer is unknown
>>> - Peer's certificate is NOT trusted
>> [...]
>> FWIW adding or dropping
>> indeed makes
>> gnutls-cli  -p 443 --x509cafile \
>> /etc/ssl/certs/ca-certificates.crt
> It seems to me that MD2 is missing from newer gnutls and this is the
> reason why it fails. libgcrypt has the MD2 enumeration but not the
> actual implementation and this tricked me into removing the included
> md2. I will try to revert the old behavior of using an included version
> of md2.

I don't think MD2 should be required here: chain verification should not
need to verify the RSA-MD2 self-signature in the CA cert, because that
cert is marked as trusted.

If there were other MD2 signatures involved, verification should
definitely fail, but that doesn't seem to be the case with this chain.

It seems this problem is caused by the chain validation algorithm now
also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3


reply via email to

[Prev in Thread] Current Thread [Next in Thread]