[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Certificate verification failed
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Certificate verification failed |
Date: |
Thu, 27 Oct 2005 14:40:11 +0200 |
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Daniel Stenberg <address@hidden> writes:
> On Thu, 27 Oct 2005, Simon Josefsson wrote:
>
>> However, I am skeptical about supporting MD2, and even MD5, by
>> default. I know GnuTLS certtool print a warning about MD5, but the
>> library does not, and most GnuTLS library users probably doesn't
>> either.
>
> Perhaps if we got some nice pointers in the docs or something us
> library users could also output a warning in similar style.
Use gnutls_x509_crt_get_signature_algorithm() on the certificates in
the chain, if any of them GNUTLS_SIGN_RSA_MD5 or GNUTLS_SIGN_RSA_MD2,
I think you are in potential trouble and may issue a warning.
However, you are right that this problem warrant a section in the
manual. I'll try to add one, and post it here for review.
> I would be fine with that, but as you can assume I would have to more
> or less unconditionally enable them for libcurl, since as you just
> saw: official CA certs out of our control clearly are using such
> algorithms.
How about only enabling use of MD2/MD5 when --insecure is used?
Thanks,
Simon
Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/27