[gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348)

[Read-only notification of GnuTLS library development activities]

Richard Frith-Macdonald commented:


Trying again with the latest code (3.7.4) and with higher debug level set, I see that the certificate is found in the trust list, but rejected with 'security level is unacceptable'

|<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:1034^M
|<2>| issuer in verification was not found or insecure; trying against trust list^M
|<3>| ASSERT: verify.c[verify_crt]:688^M
|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60^M
|<3>| ASSERT: mpi.c[wrap_nettle_mpi_print]:60^M
|<3>| cert: subject `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x06d8d904d5584346f68a2fa754227ec4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-14 00:00:00 UTC', expires `2031-04-13 23:59:59 UTC', pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc="^M
|<2>| GNUTLS_SEC_PARAM_HIGH: certificate's security level is unacceptable^M
|<3>| ASSERT: verify.c[is_level_acceptable]:504^M
|<3>| ASSERT: verify.c[verify_crt]:811^M
|<3>| ASSERT: verify.c[verify_crt]:840^M
|<3>| ASSERT: verify.c[_gnutls_verify_crt_status]:1034^M
|<3>| ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615^M
- Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. ^M
*** PKI verification of server certificate failed...^M

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348#note_894199116
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220330/3359abb1/attachment-0001.html>