Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more
Nikos Mavrogiannopoulos
nmav at gnutls.org
Fri Dec 5 20:01:00 CET 2008
Simon Josefsson wrote:
>>> gnutls-cli -p 443 hbci-pintan-rp.s-hbci.de --x509cafile \
>>> /etc/ssl/certs/ca-certificates.crt
>> It seems to me that MD2 is missing from newer gnutls and this is the
>> reason why it fails. libgcrypt has the MD2 enumeration but not the
>> actual implementation and this tricked me into removing the included
>> md2. I will try to revert the old behavior of using an included version
>> of md2.
>
> I don't think MD2 should be required here: chain verification should not
> need to verify the RSA-MD2 self-signature in the CA cert, because that
> cert is marked as trusted.
>
> If there were other MD2 signatures involved, verification should
> definitely fail, but that doesn't seem to be the case with this chain.
>
> It seems this problem is caused by the chain validation algorithm now
> also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3
> patch.
I've added again the GNUTLS-SA-2008-3 patch this time with some checks
to avoid the crashes.
regards,
Nikos
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: </pipermail/attachments/20081205/9282f325/attachment.txt>
More information about the Gnutls-devel
mailing list