Whoos with GnuTLS and md5-signed certificates

Bastian Blank waldi at debian.org
Fri Feb 13 13:46:17 UTC 2009

Hi folks

GnuTLS stopped accepting MD5 as a proper signature type for certificates
just two weeks before the release. While I don't question the decision
themself, MD5 is broken since 4 years, I question the timing.

Yesterday several people started to complain that they could not longer
connect to their ldap servers, many of them using pam-ldap and nss-ldap.
A quick look showed certificates in the chain which was signed with MD5.
Even many commercial or non-commercial CAs out there have MD5 signed
certs somewhere in the chain and all of them will not longer work now
until this intermediate certs will be trusted explicitely. Most of them
already switched to SHA1 for their enduser certificates.

So now we have a change in Lenny which will break many, many machines.
It is neither properly documented in the NEWS file of the package
themself nor in the release notes.


Too much of anything, even love, isn't necessarily a good thing.
		-- Kirk, "The Trouble with Tribbles", stardate 4525.6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090213/96075b0a/attachment.pgp 

More information about the Pkg-gnutls-maint mailing list