Sorry, I should have made it clear before. I've tried putting the string in both /etc/gnutls/config and /etc/gnutls/default-priorites according to the docs I found but, neither worked.
Thanks, On Sun, Jan 26, 2020, 17:18 Brandon Sawyers <[email protected]> wrote: > Thanks for the help. > > We are already in the process of updating so of the certs. Thanks for the > reminder. > > Now I just need to figure out how to have the priority strong apply system > wide instead of just gnutls-cli. > > Any tips there? > > Thanks again, > Brandon > > > > On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <[email protected]> wrote: > >> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <[email protected]> >> wrote: >> > >> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos <[email protected]> >> wrote: >> > > >> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers <[email protected]> >> wrote: >> > > > >> > > > Hello everyone: >> > > > >> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) and >> 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we are >> still in the process of migrating our last services off of SHA1 with a >> target date of April this has put us in a pickle. >> > > > >> > > > From reading the docs I expect I should be able to use priority and >> allow SHA1 to function, however making this work has been rather >> frustrating. >> > > > >> > > > I've tried several different versions of the following command but >> I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set >> should work. >> > > > >> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem >> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org` >> > > >> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The available >> > > priority strings are documented in: >> > > https://gnutls.org/manual/html_node/Priority-Strings.html >> > > >> > >> > From what I can tell is that the backports do not include that >> > flag.... I'm escalating this, as this is regression-security as I do >> > not believe that upstream code is affected as this is an issue in the >> > patch set released in ubuntu. >> > >> > I hope to move this discussion downstream to >> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656 >> > >> >> To close this out, a further update got published to the affected >> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and >> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing >> one to re-enable obsoleted hashes in certificate signatures. >> >> But please upgrade your certificates to use SHA256 nonetheless as >> progressively more software will start outright reject SHA1 >> certificates without a way to turn them back on. >> >> -- >> Regards, >> >> Dimitri. >> >
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
