[Help-gnutls] Re: Certificate verification failed
Simon Josefsson
jas at extundo.com
Thu Oct 27 14:40:11 CEST 2005
Daniel Stenberg <daniel at haxx.se> writes:
> On Thu, 27 Oct 2005, Simon Josefsson wrote:
>
>> However, I am skeptical about supporting MD2, and even MD5, by
>> default. I know GnuTLS certtool print a warning about MD5, but the
>> library does not, and most GnuTLS library users probably doesn't
>> either.
>
> Perhaps if we got some nice pointers in the docs or something us
> library users could also output a warning in similar style.
Use gnutls_x509_crt_get_signature_algorithm() on the certificates in
the chain, if any of them GNUTLS_SIGN_RSA_MD5 or GNUTLS_SIGN_RSA_MD2,
I think you are in potential trouble and may issue a warning.
However, you are right that this problem warrant a section in the
manual. I'll try to add one, and post it here for review.
> I would be fine with that, but as you can assume I would have to more
> or less unconditionally enable them for libcurl, since as you just
> saw: official CA certs out of our control clearly are using such
> algorithms.
How about only enabling use of MD2/MD5 when --insecure is used?
Thanks,
Simon
More information about the Gnutls-help
mailing list