[gnutls-devel] GnuTLS | Apparent failure to accept SHA1 signature of root CA when using SECURE256 (#1348)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Mar 29 15:36:03 CEST 2022 


Richard Frith-Macdonald created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1348



## Description of problem:

Unable to establish a connection ... the verification of the server certificate chain fails reporting an insecure algorithm in the root certificate when SECURE256 is used but not when SECURE128 is used.  

## Version of gnutls used:

Latest stable: 3.6.16

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

Built from source on CentOS-7 64bit

## How reproducible:

gnutls-cli --priority='SECURE256:!VERS-TLS1.0:!VERS-TLS1.1' --debug=1 smartpayivr1005.tstpaypoint.services:443

## Actual results:

Processed 133 CA certificate(s).
Resolving 'smartpayivr1005.tstpaypoint.services:443'...
Connecting to '81.93.230.131:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=*.tstpaypoint.services,O=Paypoint Network LTD,L=Welwyn Garden City,C=GB', issuer `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', serial 0x07468da604438a91d14e3e9e33d871b9, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-01-07 00:00:00 UTC', expires `2023-01-07 23:59:59 UTC', pin-sha256="Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M="
	Public Key ID:
		sha1:d65bd7a88a3f5a554375b033bb3cbc98903935a2
		sha256:4a9d6d20cd6750dc8340fff786b0b502589b02b59047220b834ad4384c746753
	Public Key PIN:
		pin-sha256:Sp1tIM1nUNyDQP/3hrC1AlibArWQRyILg0rUOEx0Z1M=

- Certificate[1] info:
 - subject `CN=DigiCert TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x06d8d904d5584346f68a2fa754227ec4, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-04-14 00:00:00 UTC', expires `2031-04-13 23:59:59 UTC', pin-sha256="RQeZkB42znUfsDIIFWIRiYEcKl7nHwNFwWCrnMMJbVc="
- Certificate[2] info:
 - subject `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x083be056904246b1a1756ac95991c74a, RSA key 2048 bits, signed using RSA-SHA1 (broken!), activated `2006-11-10 00:00:00 UTC', expires `2031-11-10 00:00:00 UTC', pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="
- Status: The certificate is NOT trusted. The certificate chain uses insecure algorithm. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.

## Expected results:

Connection should be established ... I think the use of SECURE256 or SECURE128 should make no difference to the verification of the root certificate when that certificate provides a 2048 bit key.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1348
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20220329/c5f2eea4/attachment-0001.html>

More information about the Gnutls-devel mailing list