Bug#507633: libgnutls26: GnuTLS does not know VeriSign any more

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Dec 5 20:01:00 CET 2008


Simon Josefsson wrote:

>>> gnutls-cli  -p 443 hbci-pintan-rp.s-hbci.de --x509cafile \
>>> /etc/ssl/certs/ca-certificates.crt
>> It seems to me that MD2 is missing from newer gnutls and this is the
>> reason why it fails. libgcrypt has the MD2 enumeration but not the
>> actual implementation and this tricked me into removing the included
>> md2. I will try to revert the old behavior of using an included version
>> of md2.
> 
> I don't think MD2 should be required here: chain verification should not
> need to verify the RSA-MD2 self-signature in the CA cert, because that
> cert is marked as trusted.
> 
> If there were other MD2 signatures involved, verification should
> definitely fail, but that doesn't seem to be the case with this chain.
> 
> It seems this problem is caused by the chain validation algorithm now
> also look at the CA cert, but it didn't before the GNUTLS-SA-2008-3
> patch.

I've added again the GNUTLS-SA-2008-3 patch this time with some checks
to avoid the crashes.

regards,
Nikos
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: </pipermail/attachments/20081205/9282f325/attachment.txt>


More information about the Gnutls-devel mailing list