Bug#814205: gnutls-bin: is VERIFY_ALLOW_SIGN_RSA_MD5 enabled in 3.4.8-2

Fulano Diego Perez fulanoperez at cryptolab.net
Tue Feb 9 07:06:39 UTC 2016 

Package: gnutls-bin
Version: 3.4.8-2
Severity: normal




in  3.4.8-2 VERIFY_ALLOW_SIGN_RSA_MD5 is listed with --priority-list

im trying to test a known weak smtp server with RSA 1024 MD5 self signed
cert expired 2005

im hoping i don't have to compile older versions of gnutls, nettle, gmp

is the below supported in 3.4.9?


$ gnutls-cli --list --priority=LEGACY:+VERIFY_ALLOW_SIGN_RSA_MD5
Cipher suites for LEGACY:+VERIFY_ALLOW_SIGN_RSA_MD5
Syntax error at: +VERIFY_ALLOW_SIGN_RSA_MD5


$ gnutls-serv --http --x509cafile ca-cert.pem --x509keyfile key.pem
--x509certfile cert.pem
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done


gnutls-cli --debug=5 --port=5556 127.0.0.1
--priority=LEGACY:+VERIFY_ALLOW_SIGN_RSA_MD5

* Accepted connection from IPv4 127.0.0.1 port 41000
Error in handshake
Error: The TLS connection was non-properly terminated.



Connecting to '127.0.0.1:5556'...
|<5>| REC[0x1e0c400]: Allocating epoch #0
|<3>| ASSERT: gnutls_priority.c:1346
Syntax error at: +VERIFY_ALLOW_SIGN_RSA_MD5



-- System Information:
Debian Release: stretch/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnutls-bin depends on:
ii  libc6        2.21-7
ii  libgmp10     2:6.1.0+dfsg-2
ii  libgnutls30  3.4.8-2
ii  libhogweed4  3.1.1-4
ii  libidn11     1.32-3
ii  libnettle6   3.1.1-4
ii  libopts25    1:5.18.7-3
ii  libp11-kit0  0.23.2-3
ii  libtasn1-6   4.7-3
ii  zlib1g       1:1.2.8.dfsg-2+b1

gnutls-bin recommends no packages.

gnutls-bin suggests no packages.

-- no debconf information





-- System Information:
Debian Release: stretch/sid
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnutls-bin depends on:
ii  libc6        2.21-7
ii  libgmp10     2:6.1.0+dfsg-2
ii  libgnutls30  3.4.8-2
ii  libhogweed4  3.1.1-4
ii  libidn11     1.32-3
ii  libnettle6   3.1.1-4
ii  libopts25    1:5.18.7-3
ii  libp11-kit0  0.23.2-3
ii  libtasn1-6   4.7-3
ii  zlib1g       1:1.2.8.dfsg-2+b1

gnutls-bin recommends no packages.

gnutls-bin suggests no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list