On Mon, 2009-02-09 at 15:09 +0100, Hermann Lauer wrote: > Subject: libgnutls26: ldapsearch also not working here > Followup-For: Bug #514578 > Package: libgnutls26 > Version: 2.4.2-5 > > *** Please type your report below this line *** > Same error here from ldapsearch. > > Our certificates indeed contains: > > Signature Algorithm: md5WithRSAEncryption > > Are there any workarounds without renewing all md5WithRSAEncryption > certs?
If you can get out-of-band verification that an intermediary certificate signed using RSA-MD5 is the correct certificate and you are willing to trust it for verification, you can add that RSA-MD5 cert explicitly to your certificate trust list. With 2.4.2-6, gnutls will stop looking after finding a trusted intermediate certificate. Of course, this work around requires that all gnutls based clients that talks to your site has the intermediate certificate in their trusted cert list. The proper fix is to get a new certificate for your server that isn't part of a RSA-MD5 chain. More background on the insecurity of RSA-MD5 is available from: http://www.win.tue.nl/hashclash/rogue-ca/ /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
