Working around wrong algorithm specification in certificates

Nikos Mavrogiannopoulos nmav at
Sat Jul 24 10:55:50 CEST 2010

On 07/24/2010 03:06 AM, Mads Kiilerich wrote:

>>> I can see that you added PK_X509_RSA_OID since 2.10.0. Could this
>>> perhaps be added too?
>>> There is also anecdotical evidence that SIG_RSA_SHA1_OID needs the same
>>> treatment. I haven't seen that, but getting both fixed at once could be
>>> great.
>> I've added them to the 2.10.x branch. I've not added the SHA1_OID but if
>> you have some certificates using it, I'll add it. Clearly this OID
>> shouldn't have been there!
> Thanks!
> The anecdote of the need for SIG_RSA_SHA1_OID could be tracked down to
> the comments on
> . But the BER encoded certificate on
> (which despite the text _not_ is what is displayed) also uses
> tbsCertificate.subjectPublicKeyInfo.algorithm=sha1WithRSAEncryption.
> Please consider adding support for that too.
I've added that too.

> If you are going to make a release from gnutls_2_10_x then I hope you
> will include "Correctly deinitialize crypto API handles." as well.
The fix is already there so it will be included.

> However, according to NEWS you have released 2.11.0 already - but it is
> not on ?
It is development release so it is available on (not yet)
and only.


More information about the Gnutls-help mailing list