deprecating MD5 in signature verification for gnutls-{cli,serv}

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Dec 31 00:14:16 CET 2008


Hi folks--

In light of the recent demonstration of an attack against
X.509 PKI  using weaknesses in MD5 [0], i'm quite happy to
see that you must explicitly enable the use of MD5 for
certificate validation in gnutls for over 3 years
(from the 2005-11-07 NEWS entry):

- Due to cryptographic advances, verifying untrusted X.509
  certificates signed with RSA-MD2 or RSA-MD5 will now fail with a
  GNUTLS_CERT_INSECURE_ALGORITHM verification output.  For
  applications that must remain interoperable, you can use the
  GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 or GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
  flags when verifying certificates.  Naturally, this is not
  recommended default behaviour for applications.  To enable the
  broken algorithms, call gnutls_certificate_set_verify_flags with the
  proper flag, to change the verification mode used by
  gnutls_certificate_verify_peers2.

However, gnutls-cli seems to blithely accept certificates that *are*
signed with an md5 hash.  You can see this from a debian system with:

echo | gnutls-cli --print-cert --x509cafile /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem support.mayfirst.org | certtool -i

This seems to be the case with both 2.4.2-4 and 2.6.3-1, afaict, 
but i haven't tested with 2.7.x. 

Are there plans to change this?

	--dkg

[0] http://www.win.tue.nl/hashclash/rogue-ca/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20081230/a6f55a45/attachment.pgp>


More information about the Gnutls-devel mailing list