[Help-gnutls] Re: Certificate verification failed
daniel at haxx.se
Thu Oct 27 12:46:23 CEST 2005
On Thu, 27 Oct 2005, Simon Josefsson wrote:
> However, I am skeptical about supporting MD2, and even MD5, by default. I
> know GnuTLS certtool print a warning about MD5, but the library does not,
> and most GnuTLS library users probably doesn't either.
Perhaps if we got some nice pointers in the docs or something us library users
could also output a warning in similar style.
> I think we should disable both MD2 and MD5, and introduce an API to
> modify gnutls_certificate_verify_peers2, a'la
> gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)
I would be fine with that, but as you can assume I would have to more or less
unconditionally enable them for libcurl, since as you just saw: official CA
certs out of our control clearly are using such algorithms.
And I would assume that one or two other GnuTLS using libs/apps will be using
that very same cert bundle...
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
More information about the Gnutls-help