Re: Verify MD2 algorithm signed certificates

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verify MD2 algorithm signed certificates

From:	Nikos Mavrogiannopoulos
Subject:	Re: Verify MD2 algorithm signed certificates
Date:	Wed, 25 Aug 2010 17:13:51 +0200
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6

On 08/25/2010 09:02 AM, liuxiaoyu wrote:

> Hi,
> I am attemping to verify some MD2 algorithm signed certificates using GnuTLS 
> 2.6.3. 
> I notice it says in the GnuTLS manual that MD2 algorithms have been broken 
> and should not be trusted, but flag "GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2" can be 
> used with verification functions "guntls_x509_crt_verify()" to allow 
> certificates to be signed using the old MD2 algorithm.
> However, when I used the following function call it still return 
> "GNUTLS_CERT_INVALID".
>  gnutls_x509_crt_verify (crt, ca_list, ca_list_size,
>     GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2, 
> &output);

MD2 is not supported by libgcrypt thus verification or generation always
fails. If you insist in verifying that you could try the gnutls 2.11.x
versions compiled against nettle.

In any case you shouldn't even bother. MD2 is so broken that even if the
signature check is correct you shouldn't trust the certificate anyway.

regards,
Nikos

[Prev in Thread]

Current Thread

[Next in Thread]

Verify MD2 algorithm signed certificates, liuxiaoyu, 2010/08/25
- Re: Verify MD2 algorithm signed certificates, Nikos Mavrogiannopoulos <=

Prev by Date: Re: Couple of questions regarding CommonName and peer verification
Next by Date: wildcard matching components
Previous by thread: Verify MD2 algorithm signed certificates
Next by thread: wildcard matching components
Index(es):
- Date
- Thread