Bug#740160: gnutls unusable with cacert SHA2-512 sigs
Daniel Pocock
daniel at pocock.pro
Wed Feb 26 19:00:40 UTC 2014
On 26/02/14 19:17, Andreas Metzler wrote:
> On 2014-02-26 Daniel Pocock <daniel at pocock.pro> wrote:
>> Package: libgnutls26
>> Severity: serious
>> Version: 2.12.20-8
>
> [...]
>> - running gnutls-cli in debug mode, I notice the following:
> [...]
>
> Can you check whether this is fixed in GnuTLS 3.x? - It is available
> in wheezy-backports.
>
I already removed the cacert.org certs from that server and changed to
another root so it is not something I can test immediately.
Even if 3.x fixes it, people will still be using wheezy for another good
12-18 months so this probably needs to go in a security update to avoid
massive inconvenience (unless cacert.org decides to go back to SHA-256)
Also, I started a thread on the cacert mailing list about this issue:
https://lists.cacert.org/wws/arc/cacert/2014-02/msg00001.html
More information about the Pkg-gnutls-maint
mailing list