[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Certificate verification failed
From: |
Nikos Mavrogiannopoulos |
Subject: |
[Help-gnutls] Re: Certificate verification failed |
Date: |
Thu, 27 Oct 2005 11:29:44 +0200 |
User-agent: |
KMail/1.8.2 |
On Thursday 27 October 2005 10:56, Simon Josefsson wrote:
> > This cannot be solved. This certificate uses MD2 which is not included in
> > libgcrypt as yet. I don't know if there are plans to include it in the
> > future though.
> We could add a MD2 implementation to gnulib, to make GnuTLS support
> this when MD2 is not available through libgcrypt. I'm working on this
> now.
That would be nice to have.
> However, I am skeptical about supporting MD2, and even MD5, by
> default. I know GnuTLS certtool print a warning about MD5, but the
> library does not, and most GnuTLS library users probably doesn't
> either.
Hmmm... about MD5 we are going to get a bunch of complaints if it is not
enabled by default. But that would be the right way to do given that is not
that hard to generate colliding certificates:
http://www.win.tue.nl/~bdeweger/CollidingCertificates/index.html
>
> I think we should disable both MD2 and MD5, and introduce an API to
> modify gnutls_certificate_verify_peers2, a'la
> gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)
This will not be necessary if we introduce the flags below. verify_peers2
will use the flags from gnutls_certificate_set_verify_flags().
> and a new gnutls_certificate_verify_flags enumeration type, for
> gnutls_x509_crt_verify calls, e.g.:
> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2
> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
Yes it is indeed a very nice idea. Security must be an issue in the library.
> Cheers,
> Simon
--
Nikos Mavrogiannopoulos
- [Help-gnutls] Certificate verification failed, Dima Barsky, 2005/10/26
- Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/26
- Re: [Help-gnutls] Certificate verification failed, Nikos Mavrogiannopoulos, 2005/10/26
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- Re: [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/28
Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/27