Bug#683095: another attempt

Daniel Pocock daniel at pocock.com.au
Sat Jul 28 18:08:11 UTC 2012

I looked more closely and found that the slapd (TLS server) system
(running squeeze) has the old CACert class 3 root, signed by the class 1
root using md5

wheezy has the new version, signed by the sign class 1 using SHA256

CACert released the new version of the cert (using the same RSA key
pair, just a different sig algorithm):


I copied that from wheezy to squeeze, restarted slapd, and the wheezy
client connects to the slapd on squeeze now

Therefore, I believe the 0x102 error code was revealing the use of MD5
in the cert sent down by the server - even though a local copy of the
same cert (with same RSA key pair) has the SHA256 signature

On the squeeze machine, I notice that `apt-get upgrade' failed to bring
in a new copy of the certificate.

Could GnuTLS deal with this more elegantly, noticing that the same key
pair is in use, for example, and ignoring the use of MD5?

Could more be done to warn people and or encourage them to deploy the
new Class3 root to older machines before deploying wheezy?

More information about the Pkg-gnutls-maint mailing list