Whoos with GnuTLS and md5-signed certificates
Hi folks
GnuTLS stopped accepting MD5 as a proper signature type for certificates just two weeks before the release. While I don't question the decision themself, MD5 is broken since 4 years, I question the timing. Yesterday several people started to complain that they could not longer connect to their ldap servers, many of them using pam-ldap and nss-ldap. A quick look showed certificates in the chain which was signed with MD5. Even many commercial or non-commercial CAs out there have MD5 signed certs somewhere in the chain and all of them will not longer work now until this intermediate certs will be trusted explicitely. Most of them already switched to SHA1 for their enduser certificates. So now we have a change in Lenny which will break many, many machines. It is neither properly documented in the NEWS file of the package themself nor in the release notes. Bastian -- Too much of anything, even love, isn't necessarily a good thing. -- Kirk, "The Trouble with Tribbles", stardate 4525.6 |
Whoos with GnuTLS and md5-signed certificates
* Bastian Blank:
> GnuTLS stopped accepting MD5 as a proper signature type for certificates > just two weeks before the release. While I don't question the decision > themself, MD5 is broken since 4 years, I question the timing. GNUTLS has rejected RSA-MD5 signatures in X.509 certificate chains since version 1.2.9. > Yesterday several people started to complain that they could not longer > connect to their ldap servers, many of them using pam-ldap and nss-ldap. > A quick look showed certificates in the chain which was signed with MD5. Are you sure this isn't #514807? -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Whoos with GnuTLS and md5-signed certificates
On 2009-02-14 Florian Weimer <fw@deneb.enyo.de> wrote:
> * Bastian Blank: >> GnuTLS stopped accepting MD5 as a proper signature type for certificates >> just two weeks before the release. While I don't question the decision >> themself, MD5 is broken since 4 years, I question the timing. > GNUTLS has rejected RSA-MD5 signatures in X.509 certificate chains > since version 1.2.9. [...] It has been documented to do so, however the rejection did not work (in all cases?). http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332 cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Whoos with GnuTLS and md5-signed certificates
Florian Weimer wrote:
Yesterday several people started to complain that they could not longer connect to their ldap servers, many of them using pam-ldap and nss-ldap. A quick look showed certificates in the chain which was signed with MD5. Are you sure this isn't #514807? Also see #514578. -- Brian May <brian@microcomaustralia.com.au> -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Whoos with GnuTLS and md5-signed certificates
On 02/13/2009 08:46 AM, Bastian Blank wrote:
> GnuTLS stopped accepting MD5 as a proper signature type for certificates > just two weeks before the release. While I don't question the decision > themself, MD5 is broken since 4 years, I question the timing. > > Yesterday several people started to complain that they could not longer > connect to their ldap servers, many of them using pam-ldap and nss-ldap. > A quick look showed certificates in the chain which was signed with MD5. > Even many commercial or non-commercial CAs out there have MD5 signed > certs somewhere in the chain and all of them will not longer work now > until this intermediate certs will be trusted explicitely. Most of them > already switched to SHA1 for their enduser certificates. > > So now we have a change in Lenny which will break many, many machines. > It is neither properly documented in the NEWS file of the package > themself nor in the release notes. The problem is not just MD5 certificates, but also version 1 certificates as certificate authorities. I agree that the timing is problematic (perhaps because we should have been through this particular pain of deprecating MD5 and V1 certs years ago). I just wrote a blog post trying to outline some concrete steps that people (users, developers, maintainers, and sysadmins) can take to deal with these changes: https://www.debian-administration.org/users/dkg/weblog/42 I'm sure it's not complete, and while i did my best to keep it correct, some errors may have slipped in too. Any clarifications or corrections would be most welcome. Are there any concrete proposals for how to deal with this systematically within debian without leaving GnuTLS users in lenny perpetually gullible to MD5-based forgeries, or improperly-trusted V1 certificates? Regards, --dkg |
Whoos with GnuTLS and md5-signed certificates
Daniel Kahn Gillmor wrote:
Are there any concrete proposals for how to deal with this systematically within debian without leaving GnuTLS users in lenny perpetually gullible to MD5-based forgeries, or improperly-trusted V1 certificates? Unless you want to "fix" openssl, Firefox, etc, Lenny users will still be vulnerable even if GnuTLS is fixed. The sooner MD5 certificates (not counting explicitly trusted self signed certificates here) are disabled everywhere the better, IMHO. Yes, this may break stuff. Unfortunately. -- Brian May <brian@microcomaustralia.com.au> -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Whoos with GnuTLS and md5-signed certificates
On Fri, Feb 13, 2009 at 02:46:17PM +0100, Bastian Blank wrote:
> GnuTLS stopped accepting MD5 as a proper signature type for certificates > just two weeks before the release. While I don't question the decision > themself, MD5 is broken since 4 years, I question the timing. > Yesterday several people started to complain that they could not longer > connect to their ldap servers, many of them using pam-ldap and nss-ldap. > A quick look showed certificates in the chain which was signed with MD5. > Even many commercial or non-commercial CAs out there have MD5 signed > certs somewhere in the chain and all of them will not longer work now > until this intermediate certs will be trusted explicitely. Most of them > already switched to SHA1 for their enduser certificates. > So now we have a change in Lenny which will break many, many machines. > It is neither properly documented in the NEWS file of the package > themself nor in the release notes. This also bit a number of Ubuntu users when security updates were issued for the GnuTLS CVE, because Ubuntu already had releases out with a GnuTLS-using OpenLDAP: https://bugs.launchpad.net/bugs/305264 The conclusion reached there is that it would be reasonable to patch the OpenLDAP package in the supported Ubuntu releases to allow V1 certs, for "feature"-parity when building with either OpenSSL or GnuTLS. I don't know that this would be appropriate for lenny. For Debian this wasn't a regression introduced in the server in a stable security update - etch's slapd is linked against OpenSSL - and this is only one of a pretty large number of behavior differences between etch's and lenny's slapd. On the client side, OTOH, it is a significant behavior change for both etch and lenny. As for other apps that use GnuTLS, I don't know. For some reason the only reports of problems have been from users of OpenLDAP, not of other TLS-capable services. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Whoos with GnuTLS and md5-signed certificates
Would those who have an interest in this topic please test the patch
in <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807;mbox=yes> and report if it improves things for them? Thanks. -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
Whoos with GnuTLS and md5-signed certificates
* Florian Weimer:
> Would those who have an interest in this topic please test the patch > in > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807;mbox=yes> > > and report if it improves things for them? Thanks. For the record, it's very likely that we are soon to release updates with the patch applied. We will not change the MD5 behavior because it is not clear to me that it is necessary. -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
| All times are GMT. The time now is 05:58 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.