Hi, On Wed, 22 Jan 2020 at 16:42, Brandon Sawyers <[email protected]> wrote: > > Hello everyone: > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and 1804 > (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are still in > the process of migrating our last services off of SHA1 with a target date of > April this has put us in a pickle. > > From reading the docs I expect I should be able to use priority and allow > SHA1 to function, however making this work has been rather frustrating. > > I've tried several different versions of the following command but I would > expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set should work. > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem > --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org` > > What am I doing wrong? >
This seems ok. Looking at gnutls master, a few things jump out. GNUTLS_VERIFY_ALLOW_BROKEN doesn't include the GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1 flag. Thus if gnutls-cli does specify --verify-allow-broken that doesn't add SHA1. I guess --insecure will do perform the connection. However, the best you can do is to upgrade your certs. Even if it is internal.directory.org you should be able to get letsencrypt cert, and if needed instrument a reverse proxy webserver in front of internal.directory.org if for some reason it can't do TLSv1.2 / bigger certs / legacy clients / etc. Similarly one can do similarish things on client, i.e. download the older gnutls28 from the archive/launchpad and LD_PRELOAD the old libgnutls30 - the api/abi should have stayed stable to do that. -- Regards, Dimitri. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
