[gnutls-help] Help allowing SHA1

Brandon Sawyers brandor5 at gmail.com
Thu Jan 30 18:35:45 CET 2020 

Yes that's the conclusion we came to as well.

Our plan is to hold updates to libgnutls30 until we can update the bad cert.

Thanks,

On Thu, Jan 30, 2020, 04:33 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> I do not think (but please correct me), that this version of ubuntu
> you're using has something like a system-wide policy, so it will not
> be possible to change the sha1 acceptance system-wide. In that case it
> will be more effective to try and change the priority string on the
> specific applications you are interested. The newer versions of gnutls
> have a more powerful configuration that can be used to implement a
> modifiable system-wide policy.
>
> regards,
> Nikos
>
> On Mon, Jan 27, 2020 at 5:29 AM Brandon Sawyers <brandor5 at gmail.com>
> wrote:
> >
> > Sorry, I should have made it clear before.
> >
> > I've tried putting the string in both /etc/gnutls/config and
> /etc/gnutls/default-priorites according to the docs I found but, neither
> worked.
> >
> > Thanks,
> >
> > On Sun, Jan 26, 2020, 17:18 Brandon Sawyers <brandor5 at gmail.com> wrote:
> >>
> >> Thanks for the help.
> >>
> >> We are already in the process of updating so of the certs. Thanks for
> the reminder.
> >>
> >> Now I just need to figure out how to have the priority strong apply
> system wide instead of just gnutls-cli.
> >>
> >> Any tips there?
> >>
> >> Thanks again,
> >> Brandon
> >>
> >>
> >>
> >> On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <xnox at ubuntu.com>
> wrote:
> >>>
> >>> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <xnox at ubuntu.com>
> wrote:
> >>> >
> >>> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <
> nmav at gnutls.org> wrote:
> >>> > >
> >>> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <
> brandor5 at gmail.com> wrote:
> >>> > > >
> >>> > > > Hello everyone:
> >>> > > >
> >>> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and
> 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are
> still in the process of migrating our last services off of SHA1 with a
> target date of April this has put us in a pickle.
> >>> > > >
> >>> > > > From reading the docs I expect I should be able to use priority
> and allow SHA1 to function, however making this work has been rather
> frustrating.
> >>> > > >
> >>> > > > I've tried several different versions of the following command
> but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set
> should work.
> >>> > > >
> >>> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem
> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
> >>> > >
> >>> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The
> available
> >>> > > priority strings are documented in:
> >>> > > https://gnutls.org/manual/html_node/Priority-Strings.html
> >>> > >
> >>> >
> >>> > From what I can tell is that the backports do not include that
> >>> > flag.... I'm escalating this, as this is regression-security as I do
> >>> > not believe that upstream code is affected as this is an issue in the
> >>> > patch set released in ubuntu.
> >>> >
> >>> > I hope to move this discussion downstream to
> >>> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
> >>> >
> >>>
> >>> To close this out, a further update got published to the affected
> >>> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and
> >>> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing
> >>> one to re-enable obsoleted hashes in certificate signatures.
> >>>
> >>> But please upgrade your certificates to use SHA256 nonetheless as
> >>> progressively more software will start outright reject SHA1
> >>> certificates without a way to turn them back on.
> >>>
> >>> --
> >>> Regards,
> >>>
> >>> Dimitri.
> >
> > _______________________________________________
> > Gnutls-help mailing list
> > Gnutls-help at lists.gnutls.org
> > http://lists.gnupg.org/mailman/listinfo/gnutls-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20200130/b1871b73/attachment.html>

More information about the Gnutls-help mailing list