Whoos with GnuTLS and md5-signed certificates

Steve Langasek vorlon at debian.org
Mon Feb 16 06:59:49 UTC 2009

On Fri, Feb 13, 2009 at 02:46:17PM +0100, Bastian Blank wrote:

> GnuTLS stopped accepting MD5 as a proper signature type for certificates
> just two weeks before the release. While I don't question the decision
> themself, MD5 is broken since 4 years, I question the timing.

> Yesterday several people started to complain that they could not longer
> connect to their ldap servers, many of them using pam-ldap and nss-ldap.
> A quick look showed certificates in the chain which was signed with MD5.
> Even many commercial or non-commercial CAs out there have MD5 signed
> certs somewhere in the chain and all of them will not longer work now
> until this intermediate certs will be trusted explicitely. Most of them
> already switched to SHA1 for their enduser certificates.

> So now we have a change in Lenny which will break many, many machines.
> It is neither properly documented in the NEWS file of the package
> themself nor in the release notes.

This also bit a number of Ubuntu users when security updates were issued for
the GnuTLS CVE, because Ubuntu already had releases out with a GnuTLS-using


The conclusion reached there is that it would be reasonable to patch the
OpenLDAP package in the supported Ubuntu releases to allow V1 certs, for
"feature"-parity when building with either OpenSSL or GnuTLS.

I don't know that this would be appropriate for lenny.  For Debian this
wasn't a regression introduced in the server in a stable security update -
etch's slapd is linked against OpenSSL - and this is only one of a pretty
large number of behavior differences between etch's and lenny's slapd.  On
the client side, OTOH, it is a significant behavior change for both etch and

As for other apps that use GnuTLS, I don't know.  For some reason the only
reports of problems have been from users of OpenLDAP, not of other
TLS-capable services.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Pkg-gnutls-maint mailing list