Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-16 Thread Nicolas Boullis
Hello, Florian Weimer wrote: >>I just built it; it seems to work fine. > > Thanks. No problem. Do you plan to issue a new DSA that applies this patch to etch's gnutls13? > The usual problem with X.509v1 certificates: if you add something to > the certificate store, assuming it's a server certi

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-16 Thread Florian Weimer
* Nicolas Boullis: >> You could try if recompiling gnutls13 with this patch >> >> >> >> enables your setup to work. > > I just built it; it seems to work fine. Thanks. >> However, it is unlikely that we will >> apply a similar ch

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-16 Thread Nicolas Boullis
Hello Florian, Florian Weimer wrote: > >>Our servers use commercial certificates, with "GTE CyberTrust Global >>Root" as the root certificate. It apparently is a v1 x509 certificate... > > It's uses 1024 bit RSA, it is more than ten years old, and GTE > Cybertrust does not exist anymore--GTE sol

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-14 Thread Florian Weimer
* Thijs Kinkhorst: > On sneon 14 Febrewaris 2009, Florian Weimer wrote: >> > Our servers use commercial certificates, with "GTE CyberTrust Global >> > Root" as the root certificate. It apparently is a v1 x509 certificate... >> >> It's uses 1024 bit RSA, it is more than ten years old, and GTE >> Cy

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-14 Thread Thijs Kinkhorst
On sneon 14 Febrewaris 2009, Florian Weimer wrote: > > Our servers use commercial certificates, with "GTE CyberTrust Global > > Root" as the root certificate. It apparently is a v1 x509 certificate... > > It's uses 1024 bit RSA, it is more than ten years old, and GTE > Cybertrust does not exist any

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-14 Thread Florian Weimer
* Nicolas Boullis: >> In addition, this update tightens the checks for X.509v1 certificates >> which causes GNUTLS to reject certain certificate chains it accepted >> before. (In certificate chain processing, GNUTLS does not recognize >> X.509v1 certificates as valid unless explicitly requested b

Re: [SECURITY] [DSA 1719-1] New gnutls13 packages fix certificate validation

2009-02-13 Thread Nicolas Boullis
Hi, Florian Weimer wrote: > > In addition, this update tightens the checks for X.509v1 certificates > which causes GNUTLS to reject certain certificate chains it accepted > before. (In certificate chain processing, GNUTLS does not recognize > X.509v1 certificates as valid unless explicitly reque