On Thu, 27 Oct 2005, Simon Josefsson wrote:
However, I am skeptical about supporting MD2, and even MD5, by default. I
know GnuTLS certtool print a warning about MD5, but the library does not,
and most GnuTLS library users probably doesn't either.
Perhaps if we got some nice pointers in the docs or something us library users
could also output a warning in similar style.
I think we should disable both MD2 and MD5, and introduce an API to
modify gnutls_certificate_verify_peers2, a'la
gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2)
I would be fine with that, but as you can assume I would have to more or less
unconditionally enable them for libcurl, since as you just saw: official CA
certs out of our control clearly are using such algorithms.
And I would assume that one or two other GnuTLS using libs/apps will be using
that very same cert bundle...
--
-=- Daniel Stenberg -=- http://daniel.haxx.se -=-
ech`echo xiun|tr nu oc|sed 'sx\([sx]\)\([xoi]\)xo un\2\1 is xg'`ol
_______________________________________________
Help-gnutls mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-gnutls
