gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gnutls fails to use Verisign CA cert without a Basic Constraint


From: Douglas E. Engert
Subject: Re: gnutls fails to use Verisign CA cert without a Basic Constraint
Date: Mon, 02 Feb 2009 10:48:53 -0600
User-agent: Thunderbird 2.0.0.19 (Windows/20081209)



Simon Josefsson wrote:
I reconsidered, and think we should push this patch into 2.6.x since it
helps users deal with RSA-MD5 chains.  The only recommendation we have
right now is to patch applications to provide an option to accept
RSA-MD5.  That is still insecure.  With your patch, users will have a
another transition strategy while they are moving end-entity
certificates from RSA-MD5 chains to a RSA-SHA1 chain: explicitly trust
the intermediary RSA-MD5 cert.  Users can make some additional steps to
mitigate the hazards with RSA-MD5 certs (like comparing it with several
year old intermediary RSA-MD5 certs before the RSA-MD5 vulnerability
were common knowledge).

I used your small patch and pushed the following:

http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=0ca6c0eeb67e3be4f6d79d775f23c3fccba97444

I'll be backporting this to the 2.6.x and 2.4.x branches and make some
pre-releases.

Looks good.


Thanks,
/Simon



--

 Douglas E. Engert  <address@hidden>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444




reply via email to

[Prev in Thread] Current Thread [Next in Thread]