Daniel Stenberg <[EMAIL PROTECTED]> writes: > On Thu, 27 Oct 2005, Simon Josefsson wrote: > >> However, I am skeptical about supporting MD2, and even MD5, by >> default. I know GnuTLS certtool print a warning about MD5, but the >> library does not, and most GnuTLS library users probably doesn't >> either. > > Perhaps if we got some nice pointers in the docs or something us > library users could also output a warning in similar style.
Use gnutls_x509_crt_get_signature_algorithm() on the certificates in the chain, if any of them GNUTLS_SIGN_RSA_MD5 or GNUTLS_SIGN_RSA_MD2, I think you are in potential trouble and may issue a warning. However, you are right that this problem warrant a section in the manual. I'll try to add one, and post it here for review. > I would be fine with that, but as you can assume I would have to more > or less unconditionally enable them for libcurl, since as you just > saw: official CA certs out of our control clearly are using such > algorithms. How about only enabling use of MD2/MD5 when --insecure is used? Thanks, Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
