[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |
5.3.1 Trading Security for Interoperability
If you connect to a server and use GnuTLS' functions to verify the
certificate chain, and get a GNUTLS_CERT_INSECURE_ALGORITHM
validation error (see section Verifying X.509 Certificate Paths), it means
that somewhere in the certificate chain there is a certificate signed
using RSA-MD2
or RSA-MD5
. These two digital signature
algorithms are considered broken, so GnuTLS fail when attempting to
verify the certificate. In some situations, it may be useful to be
able to verify the certificate chain anyway, assuming an attacker did
not utilize the fact that these signatures algorithms are broken.
This section will give help on how to achieve that.
First, it is important to know that you do not have to enable any of
the flags discussed here to be able to use trusted root CA
certificates signed using RSA-MD2
or RSA-MD5
. The only
attack today is that it is possible to generate certificates with
colliding signatures (collision resistance); you cannot generate a
certificate that has the same signature as an already existing
signature (2nd preimage resistance).
If you are using gnutls_certificate_verify_peers2 to verify the
certificate chain, you can call
gnutls_certificate_set_verify_flags with the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2
or
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
flag, as in:
gnutls_certificate_set_verify_flags (x509cred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5); |
This will tell the verifier algorithm to enable RSA-MD5
when
verifying the certificates.
If you are using gnutls_x509_crt_verify or
gnutls_x509_crt_list_verify, you can pass the
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5
parameter directly in the
flags
parameter.
If you are using these flags, it may also be a good idea to warn the
user when verification failure occur for this reason. The simplest is
to not use the flags by default, and only fall back to using them
after warning the user. If you wish to inspect the certificate chain
yourself, you can use gnutls_certificate_get_peers to extract
the raw server's certificate chain, then use
gnutls_x509_crt_import to parse each of the certificates, and
then use gnutls_x509_crt_get_signature_algorithm to find out the
signing algorithm used for each certificate. If any of the
intermediary certificates are using GNUTLS_SIGN_RSA_MD2
or
GNUTLS_SIGN_RSA_MD5
, you could present a warning.
[ < ] | [ > ] | [ << ] | [ Up ] | [ >> ] | [Top] | [Contents] | [Index] | [ ? ] |