On 08/25/2010 09:02 AM, liuxiaoyu wrote: > Hi, > I am attemping to verify some MD2 algorithm signed certificates using GnuTLS > 2.6.3. > I notice it says in the GnuTLS manual that MD2 algorithms have been broken > and should not be trusted, but flag "GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2" can be > used with verification functions "guntls_x509_crt_verify()" to allow > certificates to be signed using the old MD2 algorithm. > However, when I used the following function call it still return > "GNUTLS_CERT_INVALID". > gnutls_x509_crt_verify (crt, ca_list, ca_list_size, > GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2, > &output);
MD2 is not supported by libgcrypt thus verification or generation always fails. If you insist in verifying that you could try the gnutls 2.11.x versions compiled against nettle. In any case you shouldn't even bother. MD2 is so broken that even if the signature check is correct you shouldn't trust the certificate anyway. regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
