[Help-gnutls] Re: Certificate verification failed

Simon Josefsson jas at extundo.com
Thu Oct 27 14:40:11 CEST 2005

Daniel Stenberg <daniel at haxx.se> writes:

> On Thu, 27 Oct 2005, Simon Josefsson wrote:
>> However, I am skeptical about supporting MD2, and even MD5, by
>> default.  I know GnuTLS certtool print a warning about MD5, but the
>> library does not, and most GnuTLS library users probably doesn't
>> either.
> Perhaps if we got some nice pointers in the docs or something us
> library users could also output a warning in similar style.

Use gnutls_x509_crt_get_signature_algorithm() on the certificates in
the chain, if any of them GNUTLS_SIGN_RSA_MD5 or GNUTLS_SIGN_RSA_MD2,
I think you are in potential trouble and may issue a warning.

However, you are right that this problem warrant a section in the
manual.  I'll try to add one, and post it here for review.

> I would be fine with that, but as you can assume I would have to more
> or less unconditionally enable them for libcurl, since as you just
> saw: official CA certs out of our control clearly are using such
> algorithms.

How about only enabling use of MD2/MD5 when --insecure is used?


More information about the Gnutls-help mailing list