Comment 31 for bug 305264

Jamie Strandboge (jdstrand) wrote :

Commenting per request in #ubuntu-meeting.

It is a really unfortunate situation that these certificates unintentionally passed verification before the updates. IMO, the security fix (that is also in other distributions now) is needed and should not be backed out. Without it, man-in-the middle attacks against certificate chains are much easier to conduct. From a security perspective, the patch needs to stay and the gnutls defaults of disabling V1 certificates need to stay the same.

I am well aware that the current situation breaks certain configurations, and do not feel I can make the final decision.

There is also the patch in bug #314915, also discussed upstream, that may be an option. AFAICT, this patch has not been applied upstream yet and I feel uncomfortable applying it without more Debian and Gnutls feedback (lately, each time this section of code has been touched another bug in the certificate chain verification popped up).