[gnutls-help] Help allowing SHA1
Dimitri John Ledkov
xnox at ubuntu.com
Thu Jan 23 13:16:14 CET 2020
On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>
> On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <brandor5 at gmail.com> wrote:
> >
> > Hello everyone:
> >
> > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are still in the process of migrating our last services off of SHA1 with a target date of April this has put us in a pickle.
> >
> > From reading the docs I expect I should be able to use priority and allow SHA1 to function, however making this work has been rather frustrating.
> >
> > I've tried several different versions of the following command but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should work.
> >
> > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
>
> Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The available
> priority strings are documented in:
> https://gnutls.org/manual/html_node/Priority-Strings.html
>
>From what I can tell is that the backports do not include that
flag.... I'm escalating this, as this is regression-security as I do
not believe that upstream code is affected as this is an issue in the
patch set released in ubuntu.
I hope to move this discussion downstream to
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
--
Regards,
Dimitri.
More information about the Gnutls-help
mailing list