Re: [exim-dev] GnuTLS status

On 2012-05-17 at 09:04 -0400, Phil Pennock wrote:
> I'm picking through the test suite and finding more corner cases now.

When I wrote that, I'd fixed one bug.

I've spent a lot of time tracking down why things are still going wrong,
before realising that the test certificate uses md5WithRSAEncryption.

I can generate a new cert, but I also want to make sure *that* still
works if the priority string is set to NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5
and so far I'm failing. So the basic problem is one of trying to fight
new security requirements of the underlying library, to let admins
continue to shoot themselves in the feet if they so choose.

README.UPDATING will have this extra paragraph in the TLS notes:

Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains.
A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 should
re-enable support.

So far, I'm failing to make that true.

EXPORT:%VERIFY_ALLOW_SIGN_RSA_MD5 doesn't help. Still seeing:

10842 GnuTLS<1>: Could not find an appropriate certificate: Insufficient credentials for that request.


For certainty, I've generated two new certs, and indeed that fixes most
of the problems.

The other option is to say "You're using TLS for a reason? Stop using
MD5 then, as the GnuTLS folks recommend", in which case README.UPDATING
would say:

Note that GnuTLS no longer accepts RSA-MD5 signatures in certificate
chains, including in self-signatures. In theory, a
tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 should
re-enable support, but this does not appear to work. We recommend
following the advice of the experts and not using MD5 signatures in
certificates.


One stance is that it's a case where maintaining backwards compatibility
is bad, because that is being deliberately broken to improve security.

Thoughts?

Am really coming around to the idea of making the next release be 4.80
instead of 4.78, to highlight that there are issues to watch for here.

-Phil