Whoos with GnuTLS and md5-signed certificates
vorlon at debian.org
Mon Feb 16 06:59:49 UTC 2009
On Fri, Feb 13, 2009 at 02:46:17PM +0100, Bastian Blank wrote:
> GnuTLS stopped accepting MD5 as a proper signature type for certificates
> just two weeks before the release. While I don't question the decision
> themself, MD5 is broken since 4 years, I question the timing.
> Yesterday several people started to complain that they could not longer
> connect to their ldap servers, many of them using pam-ldap and nss-ldap.
> A quick look showed certificates in the chain which was signed with MD5.
> Even many commercial or non-commercial CAs out there have MD5 signed
> certs somewhere in the chain and all of them will not longer work now
> until this intermediate certs will be trusted explicitely. Most of them
> already switched to SHA1 for their enduser certificates.
> So now we have a change in Lenny which will break many, many machines.
> It is neither properly documented in the NEWS file of the package
> themself nor in the release notes.
This also bit a number of Ubuntu users when security updates were issued for
the GnuTLS CVE, because Ubuntu already had releases out with a GnuTLS-using
The conclusion reached there is that it would be reasonable to patch the
OpenLDAP package in the supported Ubuntu releases to allow V1 certs, for
"feature"-parity when building with either OpenSSL or GnuTLS.
I don't know that this would be appropriate for lenny. For Debian this
wasn't a regression introduced in the server in a stable security update -
etch's slapd is linked against OpenSSL - and this is only one of a pretty
large number of behavior differences between etch's and lenny's slapd. On
the client side, OTOH, it is a significant behavior change for both etch and
As for other apps that use GnuTLS, I don't know. For some reason the only
reports of problems have been from users of OpenLDAP, not of other
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the Pkg-gnutls-maint