[Bug 1875920] Re: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
Is it the same issue I've hit with apt on Focal? 'apt update' fails on https://mirror.yandex.ru/ubuntu with: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses insecure algorithm. Could not handshake: Error in the certificate verification. [IP: 213.180.204.183 443] The issue is supposedly fixed in GnuTLS 3.7.2. Are there any plans to backport the fix to Focal? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875920] Re: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
@xnox, I _think_ SHA1 isn't used in the insecure way that you seem to be referring to. The problem seems to be that the certification path used by gnutls ends up with a root CA self-signed with SHA1. The rest of the path is using SHA256 as it should. This can be visualized in "Certification Paths > Path #1: Trusted" on [1]. In theory, using SHA1 on a root CA should not be a concern. "openssl s_client -connect ggproxy-secure-12.gadu-gadu.pl:443" uses a different path and doesn't meet any self-signed root CA with SHA1. [1]: https://www.ssllabs.com/ssltest/analyze.html?d=ggproxy-secure-12 .gadu-gadu.pl -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875920] Re: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
I would not want to fix this. CA that use SHA1 are insecure. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875920] Re: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
Reported upstream: https://gitlab.com/gnutls/gnutls/-/issues/1202 ** Bug watch added: gitlab.com/gnutls/gnutls/-/issues #1202 https://gitlab.com/gnutls/gnutls/-/issues/1202 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875920] Re: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
This change also affects libgadu for me, it can't connect to Gadu-Gadu instant messenger network. The same CA causes the problem (Certum Trusted Network CA). Fails: gnutls-cli --priority 'NORMAL:%PROFILE_MEDIUM' ggproxy-secure-12.gadu-gadu.pl:443 Works: gnutls-cli --priority 'NORMAL' ggproxy-secure-12.gadu-gadu.pl:443 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875920] Re: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: gnutls28 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs