[gnutls-help] Help allowing SHA1

Brandon Sawyers brandor5 at gmail.com
Sun Jan 26 23:18:14 CET 2020


Thanks for the help.

We are already in the process of updating so of the certs. Thanks for the
reminder.

Now I just need to figure out how to have the priority strong apply system
wide instead of just gnutls-cli.

Any tips there?

Thanks again,
Brandon



On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <xnox at ubuntu.com> wrote:

> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <xnox at ubuntu.com> wrote:
> >
> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <nmav at gnutls.org>
> wrote:
> > >
> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <brandor5 at gmail.com>
> wrote:
> > > >
> > > > Hello everyone:
> > > >
> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and
> 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are
> still in the process of migrating our last services off of SHA1 with a
> target date of April this has put us in a pickle.
> > > >
> > > > From reading the docs I expect I should be able to use priority and
> allow SHA1 to function, however making this work has been rather
> frustrating.
> > > >
> > > > I've tried several different versions of the following command but I
> would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should
> work.
> > > >
> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem
> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
> > >
> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The available
> > > priority strings are documented in:
> > > https://gnutls.org/manual/html_node/Priority-Strings.html
> > >
> >
> > From what I can tell is that the backports do not include that
> > flag.... I'm escalating this, as this is regression-security as I do
> > not believe that upstream code is affected as this is an issue in the
> > patch set released in ubuntu.
> >
> > I hope to move this discussion downstream to
> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
> >
>
> To close this out, a further update got published to the affected
> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and
> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing
> one to re-enable obsoleted hashes in certificate signatures.
>
> But please upgrade your certificates to use SHA256 nonetheless as
> progressively more software will start outright reject SHA1
> certificates without a way to turn them back on.
>
> --
> Regards,
>
> Dimitri.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20200126/b8ad1c77/attachment.html>


More information about the Gnutls-help mailing list