[gnutls-help] Help allowing SHA1

Dimitri John Ledkov xnox at ubuntu.com
Sun Jan 26 22:56:16 CET 2020


On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <xnox at ubuntu.com> wrote:
>
> On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> >
> > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <brandor5 at gmail.com> wrote:
> > >
> > > Hello everyone:
> > >
> > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are still in the process of migrating our last services off of SHA1 with a target date of April this has put us in a pickle.
> > >
> > > From reading the docs I expect I should be able to use priority and allow SHA1 to function, however making this work has been rather frustrating.
> > >
> > > I've tried several different versions of the following command but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should work.
> > >
> > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
> >
> > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The available
> > priority strings are documented in:
> > https://gnutls.org/manual/html_node/Priority-Strings.html
> >
>
> From what I can tell is that the backports do not include that
> flag.... I'm escalating this, as this is regression-security as I do
> not believe that upstream code is affected as this is an issue in the
> patch set released in ubuntu.
>
> I hope to move this discussion downstream to
> https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
>

To close this out, a further update got published to the affected
releases which adds support to use "%VERIFY_ALLOW_BROKEN" and
"%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing
one to re-enable obsoleted hashes in certificate signatures.

But please upgrade your certificates to use SHA256 nonetheless as
progressively more software will start outright reject SHA1
certificates without a way to turn them back on.

-- 
Regards,

Dimitri.



More information about the Gnutls-help mailing list