@xnox, I _think_ SHA1 isn't used in the insecure way that you seem to be referring to.
The problem seems to be that the certification path used by gnutls ends up with a root CA self-signed with SHA1. The rest of the path is using SHA256 as it should. This can be visualized in "Certification Paths > Path #1: Trusted" on [1]. In theory, using SHA1 on a root CA should not be a concern. "openssl s_client -connect ggproxy-secure-12.gadu-gadu.pl:443" uses a different path and doesn't meet any self-signed root CA with SHA1. [1]: https://www.ssllabs.com/ssltest/analyze.html?d=ggproxy-secure-12 .gadu-gadu.pl -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875920 Title: New default %PROFILE_MEDIUM breaks root ceritificates which use SHA1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1875920/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
