Stricter GnuTLS rejects outmoded X.509 certs

Recently, several people noticed that GnuTLS behavior did not match its documentation with respect to two significant security concerns, both regarding X.509 certificate validation:

GnuTLS has been fixed upstream, and a fix to at least the latter problem has already propagated into etch via a security upload. The lenny packages should already behave as documented (no MD5 digests accepted in cert validation, v1 certificates not explicitly acceptable as authorities).

However, this means that if you use GnuTLS-linked tools to connect to systems whose certificate chains rely on either MD5 digests (in anything but the root certificate) or on v1 certificates for any of the certificate authorities, your connections may fail due to this stricter validation.

There are already several bug reports about broken LDAP connections and broken mail connections due to these problems, and there have been reasonable concerns raised on debian-release about this.

So what can you do to make sure that the infrastructure you rely on or maintain does not depend on these outmoded and insecure features of X.509? Read on for concrete steps for administrators, developers/maintainers, and end users...

This entry has been truncated read the full entry.

Tags: gnutls, ldap, openldap, security, tip, x.509