Bug#683095: another attempt
Daniel Pocock
daniel at pocock.com.au
Sat Jul 28 18:08:11 UTC 2012
I looked more closely and found that the slapd (TLS server) system
(running squeeze) has the old CACert class 3 root, signed by the class 1
root using md5
wheezy has the new version, signed by the sign class 1 using SHA256
CACert released the new version of the cert (using the same RSA key
pair, just a different sig algorithm):
http://wiki.cacert.org/FAQ/Class3Resign
I copied that from wheezy to squeeze, restarted slapd, and the wheezy
client connects to the slapd on squeeze now
Therefore, I believe the 0x102 error code was revealing the use of MD5
in the cert sent down by the server - even though a local copy of the
same cert (with same RSA key pair) has the SHA256 signature
On the squeeze machine, I notice that `apt-get upgrade' failed to bring
in a new copy of the certificate.
Could GnuTLS deal with this more elegantly, noticing that the same key
pair is in use, for example, and ignoring the use of MD5?
Could more be done to warn people and or encourage them to deploy the
new Class3 root to older machines before deploying wheezy?
More information about the Pkg-gnutls-maint
mailing list