[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME
From: |
Lars Noschinski |
Subject: |
Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
Date: |
Mon, 21 Jun 2010 10:58:38 +0200 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
Hi,
I am wondering when the flag GNUTLS_VERIFY_DO_NOT_ALLOW_SAME should be
used. I've seen it in use in the Wocky library[0], which is used by the
instant messenger client empathy.
This flag seems to prevent connections to servers using certificates
from CAcert.org, as their root and class3 certificates[1] use MD5 and are
hence deemed insecure by gnutls; i.e.
$ gnutls-cli jabberd.jabber.ccc.de --x509cafile /tmp/cacert.crt
succeeds (where cacert.crt is the concatenation of both the cacert.org
certificates), but if I patch gnutls-cli to set
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, it fails.
Now, this is probably intended behaviour for GnuTLS, but I wonder whether this
flag
is a sensible choice for such a client application?
-- Lars
[0] <http://git.collabora.co.uk/?p=wocky.git>, in particular
<http://git.collabora.co.uk/?p=wocky.git;a=blob;f=wocky/wocky-tls.c;h=b7eeb52db85a33062c39e5629421549ef1c649ce;hb=HEAD>
[1] <http://www.cacert.org/index.php?id=3>
- Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
Lars Noschinski <=
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Simon Josefsson, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Lars Noschinski, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Lars Noschinski, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Lars Noschinski, 2010/06/21
- Re: Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, Nikos Mavrogiannopoulos, 2010/06/21