[Help-gnutls] Re: Certificate verification failed

Daniel Stenberg daniel at haxx.se
Thu Oct 27 12:46:23 CEST 2005

On Thu, 27 Oct 2005, Simon Josefsson wrote:

> However, I am skeptical about supporting MD2, and even MD5, by default.  I 
> know GnuTLS certtool print a warning about MD5, but the library does not, 
> and most GnuTLS library users probably doesn't either.

Perhaps if we got some nice pointers in the docs or something us library users 
could also output a warning in similar style.

> I think we should disable both MD2 and MD5, and introduce an API to
> modify gnutls_certificate_verify_peers2, a'la
>  gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)

I would be fine with that, but as you can assume I would have to more or less 
unconditionally enable them for libcurl, since as you just saw: official CA 
certs out of our control clearly are using such algorithms.

And I would assume that one or two other GnuTLS using libs/apps will be using 
that very same cert bundle...

          -=- Daniel Stenberg -=- http://daniel.haxx.se -=-
   ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol

More information about the Gnutls-help mailing list