Brian May <br...@microcomaustralia.com.au> writes: > Hello, > > This appears to break LDAP that uses cacert's class 3 certificate[1]. > > More information at <http://blog.cacert.org/2009/01/356.html#comments> > > From a previous report "you need to trust an intermediary certificate" > - I already do just that, but it doesn't work. As such, I don't believe > this is a security risk, because I have a known good copy of the > intermediary CA certificate. > > The server certificate itself is not based on md5. > > "renew my certificates" is not an option until cacert generates a new CA > certificate. > > Unfortunately the result of this may be that I may have to downgrade > security (e.g. disable TLS) in order to finish the upgrade to Lenny :-( > > Any work arounds would be appreciated ;-).
Are you using gnutls 2.4.2-6 from unstable? It should be fixed in that version. It is not fixed in 2.4.2-5 (in testing), I believe. > [1] actually I am not positive of this, as the output of "gnutls-cli -p > ldaps server -d 4711 --print-cert --x509cafile > /etc/ssl/certs/class3.pem" doesn't mention md5 anywhere You'll need to pipe the output from gnutls-cli --print-cert to certtool -i to get the signature algorithm. This will be changed in the v2.7.x branch, so that all details are printed by gnutls-cli. > however I know the intermediate CA certificate is based on md5 so I am > assuming it is the same issue as here. I suspect it is the same problem. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
