[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Certificate verification failed
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: Certificate verification failed |
|
Date: |
Fri, 28 Oct 2005 11:21:58 +0200 |
|
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Daniel Stenberg <address@hidden> writes:
>> I think we should disable both MD2 and MD5, and introduce an API to
>> modify gnutls_certificate_verify_peers2, a'la
>>
>> gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)
>
> I would be fine with that, but as you can assume I would have to more
> or less unconditionally enable them for libcurl, since as you just
> saw: official CA certs out of our control clearly are using such
> algorithms.
>
> And I would assume that one or two other GnuTLS using libs/apps will
> be using that very same cert bundle...
After some discussion and more thinking, we realize that if the CA
bundle include a MD2 cert, whether the MD2 algorithm is broken or not
doesn't matter -- if the user trust that particular cert for verifying
other certificates, the verification algorithm should let it through.
The code in CVS should now work correctly. The original example in
this thread, with MD2 certs, now work, see below.
Please test whether tomorrow's daily build solve all the problems
discussed in this thread.
Thanks,
Simon
address@hidden:~/src/gnutls$ gnutls-cli www2.net.hsbc.com --x509cafile
/usr/share/curl/curl-ca-bundle.crt
Processed 59 CA certificate(s).
Resolving 'www2.net.hsbc.com'...
Connecting to '205.241.15.110:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'www2.net.hsbc.com'.
# valid since: Wed May 4 02:00:00 CEST 2005
# expires at: Fri May 5 01:59:59 CEST 2006
# fingerprint: 3C:13:7F:B0:E2:E1:1A:3E:4C:8E:D0:FA:2E:20:B4:60
# Subject's DN: C=US,ST=New Jersey,L=Jersey City,O=hsbc.com\,
inc.,OU=ny03www2-2005,OU=Terms of use at www.verisign.com/rpa
(c)00,CN=www2.net.hsbc.com
# Issuer's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign
International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
- Certificate[1] info:
# valid since: Thu Apr 17 02:00:00 CEST 1997
# expires at: Tue Oct 25 01:59:59 CEST 2011
# fingerprint: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC
# Subject's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign
International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
# Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification
Authority
- Certificate[2] info:
# valid since: Mon Jan 29 01:00:00 CET 1996
# expires at: Wed Aug 2 01:59:59 CEST 2028
# fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
# Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification
Authority
# Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification
Authority
- Peer's certificate is trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: ARCFOUR 128
- MAC: MD5
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
address@hidden:~/src/gnutls$
- Re: [Help-gnutls] Certificate verification failed, (continued)
- Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/26
- Re: [Help-gnutls] Certificate verification failed, Nikos Mavrogiannopoulos, 2005/10/26
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- Re: [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed,
Simon Josefsson <=
Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/27