Daniel Stenberg <[EMAIL PROTECTED]> writes: >> I think we should disable both MD2 and MD5, and introduce an API to >> modify gnutls_certificate_verify_peers2, a'la >> >> gnutls_enable_insecure_algorithm (&session, GNUTLS_SIGN_RSA_MD2) > > I would be fine with that, but as you can assume I would have to more > or less unconditionally enable them for libcurl, since as you just > saw: official CA certs out of our control clearly are using such > algorithms. > > And I would assume that one or two other GnuTLS using libs/apps will > be using that very same cert bundle...
After some discussion and more thinking, we realize that if the CA bundle include a MD2 cert, whether the MD2 algorithm is broken or not doesn't matter -- if the user trust that particular cert for verifying other certificates, the verification algorithm should let it through. The code in CVS should now work correctly. The original example in this thread, with MD2 certs, now work, see below. Please test whether tomorrow's daily build solve all the problems discussed in this thread. Thanks, Simon [EMAIL PROTECTED]:~/src/gnutls$ gnutls-cli www2.net.hsbc.com --x509cafile /usr/share/curl/curl-ca-bundle.crt Processed 59 CA certificate(s). Resolving 'www2.net.hsbc.com'... Connecting to '205.241.15.110:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: # The hostname in the certificate matches 'www2.net.hsbc.com'. # valid since: Wed May 4 02:00:00 CEST 2005 # expires at: Fri May 5 01:59:59 CEST 2006 # fingerprint: 3C:13:7F:B0:E2:E1:1A:3E:4C:8E:D0:FA:2E:20:B4:60 # Subject's DN: C=US,ST=New Jersey,L=Jersey City,O=hsbc.com\, inc.,OU=ny03www2-2005,OU=Terms of use at www.verisign.com/rpa (c)00,CN=www2.net.hsbc.com # Issuer's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign - Certificate[1] info: # valid since: Thu Apr 17 02:00:00 CEST 1997 # expires at: Tue Oct 25 01:59:59 CEST 2011 # fingerprint: BC:0A:51:FA:C0:F4:7F:DC:62:1C:D8:E1:15:43:4E:CC # Subject's DN: O=VeriSign Trust Network,OU=VeriSign\, Inc.,OU=VeriSign International Server CA - Class 3,OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Certificate[2] info: # valid since: Mon Jan 29 01:00:00 CET 1996 # expires at: Wed Aug 2 01:59:59 CEST 2028 # fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Peer's certificate is trusted - Version: TLS 1.0 - Key Exchange: RSA - Cipher: ARCFOUR 128 - MAC: MD5 - Compression: NULL - Handshake was completed - Simple Client Mode: [EMAIL PROTECTED]:~/src/gnutls$ _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
