Public bug reported:
For example /usr/share/ca-
certificates/mozilla/Certum_Trusted_Network_CA.crt used here:
gnutls-cli --starttls-proto smtp --port 25 smtp.yandex.ru -d 2
- Certificate[2] info:
- subject `CN=Certum Trusted Network CA,OU=Certum Certification
Authority,O=Unizeto Technologies S.A.,C=PL', issuer `CN=Certum CA,O=Unizeto Sp.
z o.o.,C=PL', serial 0x00939285400165715f947f288fefc99b28, RSA key 2048 bits,
signed using RSA-SHA256, activated `2008-10-22 12:07:37 UTC', expires
`2027-06-10 10:46:39 UTC',
pin-sha256="qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU="
|<2>| issuer in verification was not found or insecure; trying against trust
list
|<2>| GNUTLS_SEC_PARAM_MEDIUM: certificate's signature hash strength is
unacceptable (is 80 bits, needed 112)
Secure check for SHA1 has exception for self-signed certificates
this check is not:
if (sigalg >= 0 && se) {
if (is_level_acceptable(cert, issuer, sigalg, flags) == 0) {
MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
}
/* If the certificate is not self signed check if the algorithms
* used are secure. If the certificate is self signed it doesn't
* really matter.
*/
if (_gnutls_sign_is_secure2(se,
GNUTLS_SIGN_FLAG_SECURE_FOR_CERTS) == 0 &&
_gnutls_is_broken_sig_allowed(se, flags) == 0 &&
is_issuer(cert, cert) == 0) {
MARK_INVALID(GNUTLS_CERT_INSECURE_ALGORITHM);
}
}
** Affects: gnutls28 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1875920
Title:
New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
