[gnutls-help] Help allowing SHA1

Dimitri John Ledkov xnox at ubuntu.com
Thu Jan 23 08:28:34 CET 2020


On Wed, 22 Jan 2020 at 16:42, Brandon Sawyers <brandor5 at gmail.com> wrote:
> Hello everyone:
> A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are still in the process of migrating our last services off of SHA1 with a target date of April this has put us in a pickle.
> From reading the docs I expect I should be able to use priority and allow SHA1 to function, however making this work has been rather frustrating.
> I've tried several different versions of the following command but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should work.
> `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
> What am I doing wrong?

This seems ok.

Looking at gnutls master, a few things jump out.
GNUTLS_VERIFY_ALLOW_BROKEN doesn't include the
GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 flag. Thus if gnutls-cli does
specify --verify-allow-broken that doesn't add SHA1.

I guess --insecure will do perform the connection.

However, the best you can do is to upgrade your certs. Even if it is
internal.directory.org you should be able to get letsencrypt cert, and
if needed instrument a reverse proxy webserver in front of
internal.directory.org if for some reason it can't do TLSv1.2 / bigger
certs / legacy clients / etc.

Similarly one can do similarish things on client, i.e. download the
older gnutls28 from the archive/launchpad and LD_PRELOAD the old
libgnutls30 - the api/abi should have stayed stable to do that.



More information about the Gnutls-help mailing list