All, You may have seen the post below about colliding X.509 certificates with different identities.
GnuTLS since 1.2.9 is not vulnerable to this problem, since we have disabled the use of RSA-MD5 for verifying X.509 signatures. Below is how to test this for yourself. /Simon [EMAIL PROTECTED]:~$ wget -q http://www.win.tue.nl/~bdeweger/CollidingCertificates/MD5CollisionCA.cer http://www.win.tue.nl/hashclash/TargetCollidingCertificates/TargetCollidingCertificate1.cer http://www.win.tue.nl/hashclash/TargetCollidingCertificates/TargetCollidingCertificate2.cer [EMAIL PROTECTED]:~$ certtool --inder -i < MD5CollisionCA.cer > ca.pem Warning: certificate uses a broken signature algorithm that can be forged. [EMAIL PROTECTED]:~$ certtool --inder -i < TargetCollidingCertificate1.cer > client1.pem Warning: certificate uses a broken signature algorithm that can be forged. [EMAIL PROTECTED]:~$ certtool --inder -i < TargetCollidingCertificate2.cer > client2.pem Warning: certificate uses a broken signature algorithm that can be forged. [EMAIL PROTECTED]:~$ cat client1.pem ca.pem > chain1.pem [EMAIL PROTECTED]:~$ cat client2.pem ca.pem > chain2.pem [EMAIL PROTECTED]:~$ certtool -e < chain1.pem Certificate[0]: CN=Arjen K. Lenstra,O=Collisionairs,L=Eindhoven,C=NL Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL Verifying against certificate[1]. Verification output: Not verified, Insecure algorithm. Certificate[1]: CN=Hash Collision CA,L=Eindhoven,C=NL Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL Verification output: Verified. [EMAIL PROTECTED]:~$ certtool -e < chain2.pem Certificate[0]: CN=Marc Stevens,O=Collision Factory,L=Eindhoven,C=NL Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL Verifying against certificate[1]. Verification output: Not verified, Insecure algorithm. Certificate[1]: CN=Hash Collision CA,L=Eindhoven,C=NL Issued by: CN=Hash Collision CA,L=Eindhoven,C=NL Verification output: Verified. [EMAIL PROTECTED]:~$ "Weger, B.M.M. de" <[EMAIL PROTECTED]> writes: > Hi all, > > We announce: > - an example of a target collision for MD5; this means: > for two chosen messages m1 and m2 we have constructed > appendages b1 and b2 to make the messages collide > under MD5, i.e. MD5(m1||b1) = MD5(m2||b2); > said differently: we can cause an MD5 collision for > any pair of distinct IHVs; > - an example of a pair of valid, unsuspicious X.509 > certificates with distinct Distinguished Name fields, > but identical CA signatures; this example makes use > of the target collision. > > See http://www.win.tue.nl/hashclash/TargetCollidingCertificates/, > where the certificates and a more detailed announcement > can be found. > > Marc Stevens > Arjen Lenstra > Benne de Weger _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
