[gnutls-help] Help allowing SHA1

Brandon Sawyers brandor5 at gmail.com
Thu Jan 23 12:35:31 CET 2020


The problem is that we're not on master.

Ubuntu 1604 is shipping 3.4.10 and 1804 has 3.5.18.

There options you mentioned are not available in those versions.

We are will aware of what there correct answer is, however moving a large
organization at once isn't a valid option for us.

Thanks,
Brandon


On Thu, Jan 23, 2020, 02:28 Dimitri John Ledkov <xnox at ubuntu.com> wrote:

> Hi,
>
> On Wed, 22 Jan 2020 at 16:42, Brandon Sawyers <brandor5 at gmail.com> wrote:
> >
> > Hello everyone:
> >
> > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and 1804
> (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are still
> in the process of migrating our last services off of SHA1 with a target
> date of April this has put us in a pickle.
> >
> > From reading the docs I expect I should be able to use priority and
> allow SHA1 to function, however making this work has been rather
> frustrating.
> >
> > I've tried several different versions of the following command but I
> would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should
> work.
> >
> > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem
> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
> >
> > What am I doing wrong?
> >
>
> This seems ok.
>
> Looking at gnutls master, a few things jump out.
> GNUTLS_VERIFY_ALLOW_BROKEN doesn't include the
> GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 flag. Thus if gnutls-cli does
> specify --verify-allow-broken that doesn't add SHA1.
>
> I guess --insecure will do perform the connection.
>
> However, the best you can do is to upgrade your certs. Even if it is
> internal.directory.org you should be able to get letsencrypt cert, and
> if needed instrument a reverse proxy webserver in front of
> internal.directory.org if for some reason it can't do TLSv1.2 / bigger
> certs / legacy clients / etc.
>
> Similarly one can do similarish things on client, i.e. download the
> older gnutls28 from the archive/launchpad and LD_PRELOAD the old
> libgnutls30 - the api/abi should have stayed stable to do that.
>
>
> --
> Regards,
>
> Dimitri.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20200123/81736b9c/attachment.html>


More information about the Gnutls-help mailing list