Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian Development (http://www.linux-archive.org/debian-development/)
-   -   Whoos with GnuTLS and md5-signed certificates (http://www.linux-archive.org/debian-development/244933-whoos-gnutls-md5-signed-certificates.html)

Bastian Blank 02-13-2009 12:46 PM

Whoos with GnuTLS and md5-signed certificates
 
Hi folks

GnuTLS stopped accepting MD5 as a proper signature type for certificates
just two weeks before the release. While I don't question the decision
themself, MD5 is broken since 4 years, I question the timing.

Yesterday several people started to complain that they could not longer
connect to their ldap servers, many of them using pam-ldap and nss-ldap.
A quick look showed certificates in the chain which was signed with MD5.
Even many commercial or non-commercial CAs out there have MD5 signed
certs somewhere in the chain and all of them will not longer work now
until this intermediate certs will be trusted explicitely. Most of them
already switched to SHA1 for their enduser certificates.

So now we have a change in Lenny which will break many, many machines.
It is neither properly documented in the NEWS file of the package
themself nor in the release notes.

Bastian

--
Too much of anything, even love, isn't necessarily a good thing.
-- Kirk, "The Trouble with Tribbles", stardate 4525.6

Florian Weimer 02-14-2009 12:32 PM

Whoos with GnuTLS and md5-signed certificates
 
* Bastian Blank:

> GnuTLS stopped accepting MD5 as a proper signature type for certificates
> just two weeks before the release. While I don't question the decision
> themself, MD5 is broken since 4 years, I question the timing.

GNUTLS has rejected RSA-MD5 signatures in X.509 certificate chains
since version 1.2.9.

> Yesterday several people started to complain that they could not longer
> connect to their ldap servers, many of them using pam-ldap and nss-ldap.
> A quick look showed certificates in the chain which was signed with MD5.

Are you sure this isn't #514807?


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Andreas Metzler 02-14-2009 01:51 PM

Whoos with GnuTLS and md5-signed certificates
 
On 2009-02-14 Florian Weimer <fw@deneb.enyo.de> wrote:
> * Bastian Blank:
>> GnuTLS stopped accepting MD5 as a proper signature type for certificates
>> just two weeks before the release. While I don't question the decision
>> themself, MD5 is broken since 4 years, I question the timing.

> GNUTLS has rejected RSA-MD5 signatures in X.509 certificate chains
> since version 1.2.9.
[...]

It has been documented to do so, however the rejection did not work (in
all cases?).

http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3332

cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Brian May 02-14-2009 10:11 PM

Whoos with GnuTLS and md5-signed certificates
 
Florian Weimer wrote:

Yesterday several people started to complain that they could not longer
connect to their ldap servers, many of them using pam-ldap and nss-ldap.
A quick look showed certificates in the chain which was signed with MD5.



Are you sure this isn't #514807?


Also see #514578.

--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Daniel Kahn Gillmor 02-15-2009 04:29 PM

Whoos with GnuTLS and md5-signed certificates
 
On 02/13/2009 08:46 AM, Bastian Blank wrote:
> GnuTLS stopped accepting MD5 as a proper signature type for certificates
> just two weeks before the release. While I don't question the decision
> themself, MD5 is broken since 4 years, I question the timing.
>
> Yesterday several people started to complain that they could not longer
> connect to their ldap servers, many of them using pam-ldap and nss-ldap.
> A quick look showed certificates in the chain which was signed with MD5.
> Even many commercial or non-commercial CAs out there have MD5 signed
> certs somewhere in the chain and all of them will not longer work now
> until this intermediate certs will be trusted explicitely. Most of them
> already switched to SHA1 for their enduser certificates.
>
> So now we have a change in Lenny which will break many, many machines.
> It is neither properly documented in the NEWS file of the package
> themself nor in the release notes.

The problem is not just MD5 certificates, but also version 1
certificates as certificate authorities. I agree that the timing is
problematic (perhaps because we should have been through this particular
pain of deprecating MD5 and V1 certs years ago).

I just wrote a blog post trying to outline some concrete steps that
people (users, developers, maintainers, and sysadmins) can take to deal
with these changes:

https://www.debian-administration.org/users/dkg/weblog/42

I'm sure it's not complete, and while i did my best to keep it correct,
some errors may have slipped in too. Any clarifications or corrections
would be most welcome.

Are there any concrete proposals for how to deal with this
systematically within debian without leaving GnuTLS users in lenny
perpetually gullible to MD5-based forgeries, or improperly-trusted V1
certificates?

Regards,

--dkg

Brian May 02-15-2009 11:19 PM

Whoos with GnuTLS and md5-signed certificates
 
Daniel Kahn Gillmor wrote:

Are there any concrete proposals for how to deal with this
systematically within debian without leaving GnuTLS users in lenny
perpetually gullible to MD5-based forgeries, or improperly-trusted V1
certificates?



Unless you want to "fix" openssl, Firefox, etc, Lenny users will still
be vulnerable even if GnuTLS is fixed.


The sooner MD5 certificates (not counting explicitly trusted self signed
certificates here) are disabled everywhere the better, IMHO.


Yes, this may break stuff. Unfortunately.

--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Steve Langasek 02-16-2009 05:59 AM

Whoos with GnuTLS and md5-signed certificates
 
On Fri, Feb 13, 2009 at 02:46:17PM +0100, Bastian Blank wrote:

> GnuTLS stopped accepting MD5 as a proper signature type for certificates
> just two weeks before the release. While I don't question the decision
> themself, MD5 is broken since 4 years, I question the timing.

> Yesterday several people started to complain that they could not longer
> connect to their ldap servers, many of them using pam-ldap and nss-ldap.
> A quick look showed certificates in the chain which was signed with MD5.
> Even many commercial or non-commercial CAs out there have MD5 signed
> certs somewhere in the chain and all of them will not longer work now
> until this intermediate certs will be trusted explicitely. Most of them
> already switched to SHA1 for their enduser certificates.

> So now we have a change in Lenny which will break many, many machines.
> It is neither properly documented in the NEWS file of the package
> themself nor in the release notes.

This also bit a number of Ubuntu users when security updates were issued for
the GnuTLS CVE, because Ubuntu already had releases out with a GnuTLS-using
OpenLDAP:

https://bugs.launchpad.net/bugs/305264

The conclusion reached there is that it would be reasonable to patch the
OpenLDAP package in the supported Ubuntu releases to allow V1 certs, for
"feature"-parity when building with either OpenSSL or GnuTLS.

I don't know that this would be appropriate for lenny. For Debian this
wasn't a regression introduced in the server in a stable security update -
etch's slapd is linked against OpenSSL - and this is only one of a pretty
large number of behavior differences between etch's and lenny's slapd. On
the client side, OTOH, it is a significant behavior change for both etch and
lenny.

As for other apps that use GnuTLS, I don't know. For some reason the only
reports of problems have been from users of OpenLDAP, not of other
TLS-capable services.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Florian Weimer 02-16-2009 09:29 AM

Whoos with GnuTLS and md5-signed certificates
 
Would those who have an interest in this topic please test the patch
in

<http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807;mbox=yes>

and report if it improves things for them? Thanks.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Florian Weimer 02-24-2009 06:49 PM

Whoos with GnuTLS and md5-signed certificates
 
* Florian Weimer:

> Would those who have an interest in this topic please test the patch
> in
>
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807;mbox=yes>
>
> and report if it improves things for them? Thanks.

For the record, it's very likely that we are soon to release updates
with the patch applied. We will not change the MD5 behavior because
it is not clear to me that it is necessary.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


All times are GMT. The time now is 11:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.