Bug#737921: [TLS1.2] gnutls only likes SHA1 and SHA256 certificates
Roger Lynn
Roger at rilynn.me.uk
Thu Oct 23 08:18:20 UTC 2014
On 23/10/2014 04:46, Desai, Jason wrote:
> I ran into this bug too - not fun. I was not able to find a work around until I started investigating how to disable SSLv3 to protect against POODLE. Since it seems that the issue is with TLS 1.2 and SHA512, I think you can disable the TLS 1.2 protocol altogether as a work around until this gets fixed properly. Don't forget to disable SSLv3 while you're at it.
Thanks for the tip. I have only recently discovered that CACert have been
offering SHA256 certificates for several months, but the option is only
shown when you add a new server. This provides an alternative work around
for those trying to use CACert certificates. For details see:
http://blog.cacert.org/2014/06/selection-of-hash-algorithm-during-certificate-creation/
Roger
More information about the Pkg-gnutls-maint
mailing list