[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Whoos with GnuTLS and md5-signed certificates

Hi folks

GnuTLS stopped accepting MD5 as a proper signature type for certificates
just two weeks before the release. While I don't question the decision
themself, MD5 is broken since 4 years, I question the timing.

Yesterday several people started to complain that they could not longer
connect to their ldap servers, many of them using pam-ldap and nss-ldap.
A quick look showed certificates in the chain which was signed with MD5.
Even many commercial or non-commercial CAs out there have MD5 signed
certs somewhere in the chain and all of them will not longer work now
until this intermediate certs will be trusted explicitely. Most of them
already switched to SHA1 for their enduser certificates.

So now we have a change in Lenny which will break many, many machines.
It is neither properly documented in the NEWS file of the package
themself nor in the release notes.


Too much of anything, even love, isn't necessarily a good thing.
		-- Kirk, "The Trouble with Tribbles", stardate 4525.6

Attachment: signature.asc
Description: Digital signature

Reply to: