[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Certificate verification failed
From: |
Simon Josefsson |
Subject: |
[Help-gnutls] Re: Certificate verification failed |
Date: |
Thu, 27 Oct 2005 12:08:35 +0200 |
User-agent: |
Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) |
Nikos Mavrogiannopoulos <address@hidden> writes:
>> I think we should disable both MD2 and MD5, and introduce an API to
>> modify gnutls_certificate_verify_peers2, a'la
>> gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)
> This will not be necessary if we introduce the flags below. verify_peers2
> will use the flags from gnutls_certificate_set_verify_flags().
Ah, right, I forgot about that interface. Nice.
>> and a new gnutls_certificate_verify_flags enumeration type, for
>> gnutls_x509_crt_verify calls, e.g.:
>> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2
>> GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
> Yes it is indeed a very nice idea. Security must be an issue in the library.
Right. I think the defaults should be slightly conservative. Given
that MD2 is broken, and there is even information on how to produce
certificates with colliding signatures for MD5, I think we are way
passed the point of being slightly conservative in disabling them.
But we should have a way to re-enable them, first, to allow for
interoperability.
I'll take a stab at fixing this later today...
Thanks,
Simon
- [Help-gnutls] Certificate verification failed, Dima Barsky, 2005/10/26
- Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/26
- Re: [Help-gnutls] Certificate verification failed, Nikos Mavrogiannopoulos, 2005/10/26
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- Re: [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/27
- [Help-gnutls] Re: Certificate verification failed, Daniel Stenberg, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/28
- [Help-gnutls] Re: Certificate verification failed, Simon Josefsson, 2005/10/28
Re: [Help-gnutls] Certificate verification failed, Daniel Stenberg, 2005/10/27