Ubuntu
gnutls28 package

SHA1 security update regression prohibits connectivity

Bug #1860656 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnutls28 (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Marc Deslauriers

Bug Description

more details to follow

SHA1 security update regression prohibits connectivity

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

gnutls-help mailing list post https://lists.gnupg.org/pipermail/gnutls-help/2020-January/004609.html

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Could you please try adding %GNUTLS_VERIFY_ALLOW_BROKEN in your priority string?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, %VERIFY_ALLOW_BROKEN wasn't a valid priority string in older releases. I'll backport these two commits:

https://gitlab.com/gnutls/gnutls/commit/773f7e8e3d16a0426c11edd7c3d8883ab6ee3a56
https://gitlab.com/gnutls/gnutls/commit/eb3650c4602ea9b92cfd084ef417bc7f6b89555c

They will allow specifying %VERIFY_ALLOW_BROKEN or %VERIFY_ALLOW_SIGN_WITH_SHA1

Marc Deslauriers (mdeslaur)
Changed in gnutls28 (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls28 (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gnutls28 (Ubuntu Xenial):
status: New → Confirmed
Changed in gnutls28 (Ubuntu Bionic):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in gnutls28 (Ubuntu):
status: New → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Test cases:

gnutls-cli --priority='NORMAL' -p 443 sha1-intermediate.badssl.com
gnutls-cli --priority='NORMAL:%VERIFY_ALLOW_BROKEN' -p 443 sha1-intermediate.badssl.com
gnutls-cli --priority='NORMAL:%VERIFY_ALLOW_SIGN_WITH_SHA1' -p 443 sha1-intermediate.badssl.com

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.5.18-1ubuntu1.3

---------------
gnutls28 (3.5.18-1ubuntu1.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Allow re-enabling SHA1 for certificate signing with a
    priority string (LP: #1860656)
    - debian/patches/allow_broken_priority_string.patch: introduce the
      %VERIFY_ALLOW_BROKEN priority string option.
    - debian/patches/allow_sha1_priority_string.patch: introduce the
      %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string option.

 -- Marc Deslauriers <email address hidden> Thu, 23 Jan 2020 08:39:38 -0500

Changed in gnutls28 (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls28 - 3.4.10-4ubuntu1.7

---------------
gnutls28 (3.4.10-4ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Allow re-enabling SHA1 for certificate signing with a
    priority string (LP: #1860656)
    - debian/patches/allow_broken_priority_string.patch: introduce the
      %VERIFY_ALLOW_BROKEN priority string option.
    - debian/patches/allow_sha1_priority_string.patch: introduce the
      %VERIFY_ALLOW_SIGN_WITH_SHA1 priority string option.

 -- Marc Deslauriers <email address hidden> Thu, 23 Jan 2020 08:47:43 -0500

Changed in gnutls28 (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.