deprecating MD5 in signature verification for gnutls-{cli,serv}
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Dec 31 00:14:16 CET 2008
Hi folks--
In light of the recent demonstration of an attack against
X.509 PKI using weaknesses in MD5 [0], i'm quite happy to
see that you must explicitly enable the use of MD5 for
certificate validation in gnutls for over 3 years
(from the 2005-11-07 NEWS entry):
- Due to cryptographic advances, verifying untrusted X.509
certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
GNUTLS_CERT_INSECURE_ALGORITHM verification output. For
applications that must remain interoperable, you can use the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
flags when verifying certificates. Naturally, this is not
recommended default behaviour for applications. To enable the
broken algorithms, call gnutls_certificate_set_verify_flags with the
proper flag, to change the verification mode used by
gnutls_certificate_verify_peers2.
However, gnutls-cli seems to blithely accept certificates that *are*
signed with an md5 hash. You can see this from a debian system with:
echo | gnutls-cli --print-cert --x509cafile /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem support.mayfirst.org | certtool -i
This seems to be the case with both 2.4.2-4 and 2.6.3-1, afaict,
but i haven't tested with 2.7.x.
Are there plans to change this?
--dkg
[0] http://www.win.tue.nl/hashclash/rogue-ca/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081230/a6f55a45/attachment.pgp>
More information about the Gnutls-devel
mailing list