I think apt pinning down the update is the best option you have for now. In gnutls master, I have added a straight forward default priority barring override, such that if something like this happens in 20.04 LTS there will be a straight forward to apply a different global default.
On Thu, 30 Jan 2020, 17:35 Brandon Sawyers, <[email protected]> wrote: > Yes that's the conclusion we came to as well. > > Our plan is to hold updates to libgnutls30 until we can update the bad > cert. > > Thanks, > > On Thu, Jan 30, 2020, 04:33 Nikos Mavrogiannopoulos <[email protected]> > wrote: > >> I do not think (but please correct me), that this version of ubuntu >> you're using has something like a system-wide policy, so it will not >> be possible to change the sha1 acceptance system-wide. In that case it >> will be more effective to try and change the priority string on the >> specific applications you are interested. The newer versions of gnutls >> have a more powerful configuration that can be used to implement a >> modifiable system-wide policy. >> >> regards, >> Nikos >> >> On Mon, Jan 27, 2020 at 5:29 AM Brandon Sawyers <[email protected]> >> wrote: >> > >> > Sorry, I should have made it clear before. >> > >> > I've tried putting the string in both /etc/gnutls/config and >> /etc/gnutls/default-priorites according to the docs I found but, neither >> worked. >> > >> > Thanks, >> > >> > On Sun, Jan 26, 2020, 17:18 Brandon Sawyers <[email protected]> wrote: >> >> >> >> Thanks for the help. >> >> >> >> We are already in the process of updating so of the certs. Thanks for >> the reminder. >> >> >> >> Now I just need to figure out how to have the priority strong apply >> system wide instead of just gnutls-cli. >> >> >> >> Any tips there? >> >> >> >> Thanks again, >> >> Brandon >> >> >> >> >> >> >> >> On Sun, Jan 26, 2020, 16:56 Dimitri John Ledkov <[email protected]> >> wrote: >> >>> >> >>> On Thu, 23 Jan 2020 at 12:16, Dimitri John Ledkov <[email protected]> >> wrote: >> >>> > >> >>> > On Thu, 23 Jan 2020 at 14:01, Nikos Mavrogiannopoulos < >> [email protected]> wrote: >> >>> > > >> >>> > > On Wed, Jan 22, 2020 at 3:42 PM Brandon Sawyers < >> [email protected]> wrote: >> >>> > > > >> >>> > > > Hello everyone: >> >>> > > > >> >>> > > > A recent package upgrade in ubuntu 1604 (v3.4.10-4ubuntu1.6) >> and 1804 (v3.5.18-1ubuntu1.2) has left us without SHA1 support. Since we >> are still in the process of migrating our last services off of SHA1 with a >> target date of April this has put us in a pickle. >> >>> > > > >> >>> > > > From reading the docs I expect I should be able to use priority >> and allow SHA1 to function, however making this work has been rather >> frustrating. >> >>> > > > >> >>> > > > I've tried several different versions of the following command >> but I would expect just having "NORMAL:+SIGN-RSA-SHA1:+SHA1" priority set >> should work. >> >>> > > > >> >>> > > > `gnutls-bin --x509cafile ./cachain-with-sha1-signed-cert.pem >> --priority='NORMAL:+SIGN-RSA-SHA1:+SHA1' -p 636 internal.directory.org` >> >>> > > >> >>> > > Have you tried appending %VERIFY_ALLOW_SIGN_WITH_SHA1? The >> available >> >>> > > priority strings are documented in: >> >>> > > https://gnutls.org/manual/html_node/Priority-Strings.html >> >>> > > >> >>> > >> >>> > From what I can tell is that the backports do not include that >> >>> > flag.... I'm escalating this, as this is regression-security as I do >> >>> > not believe that upstream code is affected as this is an issue in >> the >> >>> > patch set released in ubuntu. >> >>> > >> >>> > I hope to move this discussion downstream to >> >>> > https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1860656 >> >>> > >> >>> >> >>> To close this out, a further update got published to the affected >> >>> releases which adds support to use "%VERIFY_ALLOW_BROKEN" and >> >>> "%VERIFY_ALLOW_SIGN_WITH_SHA1" in the priority string option, allowing >> >>> one to re-enable obsoleted hashes in certificate signatures. >> >>> >> >>> But please upgrade your certificates to use SHA256 nonetheless as >> >>> progressively more software will start outright reject SHA1 >> >>> certificates without a way to turn them back on. >> >>> >> >>> -- >> >>> Regards, >> >>> >> >>> Dimitri. >> > >> > _______________________________________________ >> > Gnutls-help mailing list >> > [email protected] >> > http://lists.gnupg.org/mailman/listinfo/gnutls-help >> >
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
