[gnutls-help] Help allowing SHA1

Dimitri John Ledkov xnox at ubuntu.com
Thu Jan 30 23:54:01 CET 2020 

I think apt pinning down the update is the best option you have for now.

In gnutls master, I have added a straight forward default priority barring
override, such that if something like this happens in 20.04 LTS there will
be a straight forward to apply a different global default.

On Thu, 30 Jan 2020, 17:35 Brandon Sawyers, <brandor5 at gmail.com> wrote:

> Yes that's the conclusion we came to as well.
>
> Our plan is to hold updates to libgnutls30 until we can update the bad
> cert.
>
> Thanks,
>
> On Thu, Jan 30, 2020, 04:33 Nikos Mavrogiannopoulos <nmav at gnutls.org>
> wrote:
>
>> I do not think (but please correct me), that this version of ubuntu
>> you're using has something like a system-wide policy, so it will not
>> be possible to change the sha1 acceptance system-wide. In that case it
>> will be more effective to try and change the priority string on the
>> specific applications you are interested. The newer versions of gnutls
>> have a more powerful configuration that can be used to implement a
>> modifiable system-wide policy.
>>
>> regards,
>> Nikos
>>
>> On Mon, Jan 27, 2020 at 5:29 AM Brandon Sawyers <brandor5 at gmail.com>
>> wrote:
>> >
>> > Sorry, I should have made it clear before.
>> >
>> > I've tried putting the string in both /etc/gnutls/config and
>> /etc/gnutls/default-priorites according to the docs I found but, neither
>> worked.
>> >
>> > Thanks,
>> >
>> > On Sun, Jan 26, 2020, 17:18 Brandon Sawyers <brandor5 at gmail.com> wrote:
>> >>
>> >> Thanks for the help.
>> >>
>> >> We are already in the process of updating so of the certs. Thanks for
>> the reminder.
>> >>
>> >> Now I just need to figure out how to have the priority strong apply
>> system wide instead of just gnutls-cli.
>> >>
>> >> Any tips there?
>> >>
>> >> Thanks again,
>> >> Brandon
>> >>
>> >>
>> >>
>> >> On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <xnox at ubuntu.com>
>> wrote:
>> >>>
>> >>> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <xnox at ubuntu.com>
>> wrote:
>> >>> >
>> >>> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <
>> nmav at gnutls.org> wrote:
>> >>> > >
>> >>> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <
>> brandor5 at gmail.com> wrote:
>> >>> > > >
>> >>> > > > Hello everyone:
>> >>> > > >
>> >>> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6)
>> and 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we
>> are still in the process of migrating our last services off of SHA1 with a
>> target date of April this has put us in a pickle.
>> >>> > > >
>> >>> > > > From reading the docs I expect I should be able to use priority
>> and allow SHA1 to function, however making this work has been rather
>> frustrating.
>> >>> > > >
>> >>> > > > I've tried several different versions of the following command
>> but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set
>> should work.
>> >>> > > >
>> >>> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem
>> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org`
>> >>> > >
>> >>> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The
>> available
>> >>> > > priority strings are documented in:
>> >>> > > https://gnutls.org/manual/html_node/Priority-Strings.html
>> >>> > >
>> >>> >
>> >>> > From what I can tell is that the backports do not include that
>> >>> > flag.... I'm escalating this, as this is regression-security as I do
>> >>> > not believe that upstream code is affected as this is an issue in
>> the
>> >>> > patch set released in ubuntu.
>> >>> >
>> >>> > I hope to move this discussion downstream to
>> >>> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656
>> >>> >
>> >>>
>> >>> To close this out, a further update got published to the affected
>> >>> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and
>> >>> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing
>> >>> one to re-enable obsoleted hashes in certificate signatures.
>> >>>
>> >>> But please upgrade your certificates to use SHA256 nonetheless as
>> >>> progressively more software will start outright reject SHA1
>> >>> certificates without a way to turn them back on.
>> >>>
>> >>> --
>> >>> Regards,
>> >>>
>> >>> Dimitri.
>> >
>> > _______________________________________________
>> > Gnutls-help mailing list
>> > Gnutls-help at lists.gnutls.org
>> > http://lists.gnupg.org/mailman/listinfo/gnutls-help
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20200130/3236bae8/attachment-0001.html>

More information about the Gnutls-help mailing list