Bug#737921: [TLS1.2] gnutls only likes SHA1 and SHA256 certificates

Ivan Shmakov ivan at siamics.net
Thu Mar 20 07:32:38 UTC 2014 

Control: tags 737921 + patch

>>>>> Jan Nordholz <jnordholz at sec.t-labs.tu-berlin.de> writes:
>>>>> Hi Daniel,

[…]

 >> Have you tested this against libgnutls28?  GnuTLS 3.2.10-2 is the
 >> latest version in jessie and sid, and 3.2.8.1-2~bpo70+1 is in
 >> wheezy-backports.  I believe you'll find it resolved in this
 >> version.

 > well, I tested against gnutls-serv, which indeed seems to work (and
 > that one's linked to gnutls28).  However my original problem occurred
 > with exim, and I was reluctant to recompile those packages as I don't
 > know how much of the gnutls API has changed and would need fixing in
 > exim.

 > Good to know that the library migration will eventually take care of
 > this.

	AIUI, this issue affects all of those who happen to:

	• use the X.509 certificates signed with the RSA-SHA512
	  algorithm (such as those recently issued by CAcert.org) at
	  their servers, and thus all the users of these servers;

	• are, at the same time, using the latest stable Debian release.

	Given that a new Debian stable isn’t to be released anytime
	soon, I’d like to ask for the Debian gnutls26 package
	maintainers to consider adopting a change [1] (possible patch
	MIMEd) made to the GnuTLS tree back in 2011, which I believe
	resolves the issue.

	I’ve built the patched gnutls26 package with pbuilder and
	briefly tested Exim (as of 4.80-7) with the resulting
	libgnutls26, and seen no issues so far.  The resulting packages
	are available from the following location (please do /not/ use
	unless in testing environments, such as a KVM instance, etc.):

⋯✂⋯ /etc/apt/sources.list.d/99-am-1.org-1gray-test.list ⋯✂⋯
deb     http://am-1.org/~ivan/mini-dinstall/ 1gray-test/$(ARCH)/
deb     http://am-1.org/~ivan/mini-dinstall/ 1gray-test/all/
deb-src http://am-1.org/~ivan/mini-dinstall/ 1gray-test/source/
⋯✂⋯ /etc/apt/sources.list.d/99-am-1.org-1gray-test.list ⋯✂⋯

	TIA.

[1] https://gitorious.org/gnutls/gnutls/commit/1a02ec18e9e39
    http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=1a02ec18e9e39

PS.  The top (IOW, the comment) of the diff should read: “… (with
	regards to GNUTLS_CRT_OPENPGP.)”  Sending as-is because it’s the
	file I’ve actually used while building the package.

-- 
FSF associate member #7257
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 12_no_sign_algo.diff
Type: text/x-diff
Size: 6368 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140320/b8797144/attachment.diff>

More information about the Pkg-gnutls-maint mailing list