Hello Florian, Florian Weimer wrote: > >>Our servers use commercial certificates, with "GTE CyberTrust Global >>Root" as the root certificate. It apparently is a v1 x509 certificate... > > It's uses 1024 bit RSA, it is more than ten years old, and GTE > Cybertrust does not exist anymore--GTE sold Cybertrust to Baltimore, > Baltimore was sucked in to Betrusted, and Betrusted was bought by > Verizon, so the key material is controlled by someone else these days. > (It does not matter that the self-signature uses RSA-MD5.)
As Thijs Kinkhorst said, even if this sucks, this root certificate is still in wide use in the european accademic community... > You could try if recompiling gnutls13 with this patch > > <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=97;bug=514807> > > enables your setup to work. I just built it; it seems to work fine. > However, it is unlikely that we will > apply a similar change to lenny. (For etch, the best approach is > still somewhat unclear. But it's either changing gnutls13 in this > way, or keeping the current behavior; modifying all applications is > out of the question.) What's the problem with this patch? As for etch, I don't think the best approach is to keep things broken by a security update. As for lenny, I'd prefer not to have to add the intermediate CA to my trusted list, but it certainly looks like a working solution. Regards, -- Nicolas Boullis École Centrale Paris -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
