Bug#856641: curl: X.509 certificates using md5RSA signatures should be rejected
On Sun, Mar 12, 2017 at 02:11:48PM +, Alessandro Ghedini wrote: > On Fri, Mar 03, 2017 at 09:41:03AM +0100, lcf wrote: > > Package: curl > > Version: 7.52.1-3 > > Severity: important > > > > Dear Maintainer, > > > > When establishing https connection X.509 certificates using md5RSA should be > > rejected and connection should be terminated. > > > > curl 7.52.1 can do that, when it's compiled against OpenSSL 1.1.0 and above. > > Attempts to establish connection with hosts using md5RSA certificate result > > in > > curl: (60) SSL certificate problem: CA signature digest algorithm too weak > > error in that case. > > > > OpenSSL 1.1.0 is already included in Debian Stretch, so curl should be > > compiled > > against new OpenSSL to solve this security issue. > > The switch to OpenSSL 1.1 was rolled back due to [0], as per release team > decision (see [1]). Ugh, [1] was meant to point to https://bugs.debian.org/850880 signature.asc Description: PGP signature
Bug#856641: curl: X.509 certificates using md5RSA signatures should be rejected
On Fri, Mar 03, 2017 at 09:41:03AM +0100, lcf wrote: > Package: curl > Version: 7.52.1-3 > Severity: important > > Dear Maintainer, > > When establishing https connection X.509 certificates using md5RSA should be > rejected and connection should be terminated. > > curl 7.52.1 can do that, when it's compiled against OpenSSL 1.1.0 and above. > Attempts to establish connection with hosts using md5RSA certificate result in > curl: (60) SSL certificate problem: CA signature digest algorithm too weak > error in that case. > > OpenSSL 1.1.0 is already included in Debian Stretch, so curl should be > compiled > against new OpenSSL to solve this security issue. The switch to OpenSSL 1.1 was rolled back due to [0], as per release team decision (see [1]). Cheers [0] https://bugs.debian.org/844018 signature.asc Description: PGP signature
Bug#856641: curl: X.509 certificates using md5RSA signatures should be rejected
Package: curl Version: 7.52.1-3 Severity: important Dear Maintainer, When establishing https connection X.509 certificates using md5RSA should be rejected and connection should be terminated. curl 7.52.1 can do that, when it's compiled against OpenSSL 1.1.0 and above. Attempts to establish connection with hosts using md5RSA certificate result in curl: (60) SSL certificate problem: CA signature digest algorithm too weak error in that case. OpenSSL 1.1.0 is already included in Debian Stretch, so curl should be compiled against new OpenSSL to solve this security issue. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (300, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages curl depends on: ii libc6 2.24-9 ii libcurl3 7.52.1-3 ii zlib1g1:1.2.8.dfsg-5 curl recommends no packages. curl suggests no packages. -- no debconf information
