[gnutls-help] Help allowing SHA1

Brandon Sawyers brandor5 at gmail.com
Mon Jan 27 05:27:41 CET 2020


Sorry, I should have made it clear before.

I've tried putting the string in both /etc/gnutls/config and
/etc/gnutls/default-priorites according to the docs I found but, neither
worked.

Thanks,

On Sun, Jan 26, 2020, 17:18 Brandon Sawyers <brandor5 at gmail.com> wrote:

> Thanks for the help.
>
> We are already in the process of updating so of the certs. Thanks for the
> reminder.
>
> Now I just need to figure out how to have the priority strong apply system
> wide instead of just gnutls-cli.
>
> Any tips there?
>
> Thanks again,
> Brandon
>
>
>
> On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <xnox at ubuntu.com> wrote:
>
>> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <xnox at ubuntu.com>
>> wrote:
>> >
>> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <nmav at gnutls.org>
>> wrote:
>> > >
>> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <brandor5 at gmail.com>
>> wrote:
>> > > >
>> > > > Hello everyone:
>> > > >
>> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and
>> 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are
>> still in the process of migrating our last services off of SHA1 with a
>> target date of April this has put us in a pickle.
>> > > >
>> > > > From reading the docs I expect I should be able to use priority and
>> allow SHA1 to function, however making this work has been rather
>> frustrating.
>> > > >
>> > > > I've tried several different versions of the following command but
>> I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set
>> should work.
>> > > >
>> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem
>> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
>> > >
>> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The available
>> > > priority strings are documented in:
>> > > https://gnutls.org/manual/html_node/Priority-Strings.html
>> > >
>> >
>> > From what I can tell is that the backports do not include that
>> > flag.... I'm escalating this, as this is regression-security as I do
>> > not believe that upstream code is affected as this is an issue in the
>> > patch set released in ubuntu.
>> >
>> > I hope to move this discussion downstream to
>> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
>> >
>>
>> To close this out, a further update got published to the affected
>> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and
>> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing
>> one to re-enable obsoleted hashes in certificate signatures.
>>
>> But please upgrade your certificates to use SHA256 nonetheless as
>> progressively more software will start outright reject SHA1
>> certificates without a way to turn them back on.
>>
>> --
>> Regards,
>>
>> Dimitri.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20200126/e8c814a7/attachment.html>


More information about the Gnutls-help mailing list