Security implications of (not using) GNUTLS_VERIFY_DO_NOT_ALLOW_SAME
Lars Noschinski
lars at public.noschinski.de
Mon Jun 21 10:58:38 CEST 2010
Hi,
I am wondering when the flag GNUTLS_VERIFY_DO_NOT_ALLOW_SAME should be
used. I've seen it in use in the Wocky library[0], which is used by the
instant messenger client empathy.
This flag seems to prevent connections to servers using certificates
from CAcert.org, as their root and class3 certificates[1] use MD5 and are
hence deemed insecure by gnutls; i.e.
$ gnutls-cli jabberd.jabber.ccc.de --x509cafile /tmp/cacert.crt
succeeds (where cacert.crt is the concatenation of both the cacert.org
certificates), but if I patch gnutls-cli to set
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, it fails.
Now, this is probably intended behaviour for GnuTLS, but I wonder whether this flag
is a sensible choice for such a client application?
-- Lars
[0] <http://git.collabora.co.uk/?p=wocky.git>, in particular
<http://git.collabora.co.uk/?p=wocky.git;a=blob;f=wocky/wocky-tls.c;h=b7eeb52db85a33062c39e5629421549ef1c649ce;hb=HEAD>
[1] <http://www.cacert.org/index.php?id=3>
More information about the Gnutls-help
mailing list