New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls28 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
For example /usr/share/
gnutls-cli --starttls-proto smtp --port 25 smtp.yandex.ru -d 2
- Certificate[2] info:
- subject `CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL', issuer `CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL', serial 0x0093928540016
|<2>| issuer in verification was not found or insecure; trying against trust list
|<2>| GNUTLS_
Secure check for SHA1 has exception for self-signed certificates
this check is not:
if (sigalg >= 0 && se) {
if (is_level_
MARK_
}
/* If the certificate is not self signed check if the algorithms
* used are secure. If the certificate is self signed it doesn't
* really matter.
*/
if (_gnutls_
_
is_
MARK_
}
}
Status changed to 'Confirmed' because the bug affects multiple users.