[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Certificate verification failed
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Certificate verification failed |
Date: |
Thu, 27 Oct 2005 10:56:05 +0200 |
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Nikos Mavrogiannopoulos <address@hidden> writes:
> This cannot be solved. This certificate uses MD2 which is not included in
> libgcrypt as yet. I don't know if there are plans to include it in the future
> though.
We could add a MD2 implementation to gnulib, to make GnuTLS support
this when MD2 is not available through libgcrypt. I'm working on this
now.
However, I am skeptical about supporting MD2, and even MD5, by
default. I know GnuTLS certtool print a warning about MD5, but the
library does not, and most GnuTLS library users probably doesn't
either.
I think we should disable both MD2 and MD5, and introduce an API to
modify gnutls_certificate_verify_peers2, a'la
gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)
and a new gnutls_certificate_verify_flags enumeration type, for
gnutls_x509_crt_verify calls, e.g.:
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
All this for applications/users that want to sacrifice security for
interoperability.
What do you think?
Cheers,
Simon
Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/27