Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation
Hello Florian,
Florian Weimer wrote:
>
>>Our servers use commercial certificates, with "GTE CyberTrust Global
>>Root" as the root certificate. It apparently is a v1 x509 certificate...
>
> It's uses 1024 bit RSA, it is more than ten years old, and GTE
> Cybertrust does not exist anymore--GTE sold Cybertrust to Baltimore,
> Baltimore was sucked in to Betrusted, and Betrusted was bought by
> Verizon, so the key material is controlled by someone else these days.
> (It does not matter that the self-signature uses RSA-MD5.)
As Thijs Kinkhorst said, even if this sucks, this root certificate is
still in wide use in the european accademic community...
> You could try if recompiling gnutls13 with this patch
>
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807>
>
> enables your setup to work.
I just built it; it seems to work fine.
> However, it is unlikely that we will
> apply a similar change to lenny. (For etch, the best approach is
> still somewhat unclear. But it's either changing gnutls13 in this
> way, or keeping the current behavior; modifying all applications is
> out of the question.)
What's the problem with this patch?
As for etch, I don't think the best approach is to keep things broken by
a security update.
As for lenny, I'd prefer not to have to add the intermediate CA to my
trusted list, but it certainly looks like a working solution.
Regards,
--
Nicolas Boullis
École Centrale Paris
Reply to: