On Fri, Feb 13, 2009 at 02:46:17PM +0100, Bastian Blank wrote: > GnuTLS stopped accepting MD5 as a proper signature type for certificates > just two weeks before the release. While I don't question the decision > themself, MD5 is broken since 4 years, I question the timing.
> Yesterday several people started to complain that they could not longer > connect to their ldap servers, many of them using pam-ldap and nss-ldap. > A quick look showed certificates in the chain which was signed with MD5. > Even many commercial or non-commercial CAs out there have MD5 signed > certs somewhere in the chain and all of them will not longer work now > until this intermediate certs will be trusted explicitely. Most of them > already switched to SHA1 for their enduser certificates. > So now we have a change in Lenny which will break many, many machines. > It is neither properly documented in the NEWS file of the package > themself nor in the release notes. This also bit a number of Ubuntu users when security updates were issued for the GnuTLS CVE, because Ubuntu already had releases out with a GnuTLS-using OpenLDAP: https://bugs.launchpad.net/bugs/305264 The conclusion reached there is that it would be reasonable to patch the OpenLDAP package in the supported Ubuntu releases to allow V1 certs, for "feature"-parity when building with either OpenSSL or GnuTLS. I don't know that this would be appropriate for lenny. For Debian this wasn't a regression introduced in the server in a stable security update - etch's slapd is linked against OpenSSL - and this is only one of a pretty large number of behavior differences between etch's and lenny's slapd. On the client side, OTOH, it is a significant behavior change for both etch and lenny. As for other apps that use GnuTLS, I don't know. For some reason the only reports of problems have been from users of OpenLDAP, not of other TLS-capable services. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
