Bug#514578: libgnutls26: ldapsearch also not working here
Simon Josefsson
simon at josefsson.org
Mon Feb 9 14:28:32 UTC 2009
On Mon, 2009-02-09 at 15:09 +0100, Hermann Lauer wrote:
> Subject: libgnutls26: ldapsearch also not working here
> Followup-For: Bug #514578
> Package: libgnutls26
> Version: 2.4.2-5
>
> *** Please type your report below this line ***
> Same error here from ldapsearch.
>
> Our certificates indeed contains:
>
> Signature Algorithm: md5WithRSAEncryption
>
> Are there any workarounds without renewing all md5WithRSAEncryption
> certs?
If you can get out-of-band verification that an intermediary certificate
signed using RSA-MD5 is the correct certificate and you are willing to
trust it for verification, you can add that RSA-MD5 cert explicitly to
your certificate trust list. With 2.4.2-6, gnutls will stop looking
after finding a trusted intermediate certificate.
Of course, this work around requires that all gnutls based clients that
talks to your site has the intermediate certificate in their trusted
cert list.
The proper fix is to get a new certificate for your server that isn't
part of a RSA-MD5 chain. More background on the insecurity of RSA-MD5
is available from:
http://www.win.tue.nl/hashclash/rogue-ca/
/Simon
More information about the Pkg-gnutls-maint
mailing list