diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-13 17:06:47 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-16 15:47:10 +0100 |
commit | 773f7e8e3d16a0426c11edd7c3d8883ab6ee3a56 (patch) | |
tree | cb362a6fa0701bec647b5af953f1ead9d0518ea3 | |
parent | c020faada2688515f8a7c90ab95f8d5b0b3b82ae (diff) | |
download | gnutls-773f7e8e3d16a0426c11edd7c3d8883ab6ee3a56.tar.gz |
Introduced the %VERIFY_ALLOW_BROKEN priority string option
This allows enabling broken signature algorithms in certificate verification.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | doc/cha-cert-auth.texi | 1 | ||||
-rw-r--r-- | doc/cha-gtls-app.texi | 4 | ||||
-rw-r--r-- | lib/priority.c | 5 | ||||
-rw-r--r-- | lib/priority_options.gperf | 1 |
4 files changed, 11 insertions, 0 deletions
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 6145fdf851..75c118dedb 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -631,6 +631,7 @@ certificate chain, you can call @itemize @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2} @item @code{GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5} +@item @code{GNUTLS_VERIFY_ALLOW_BROKEN} @end itemize as in the following example: diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 8b417d6f00..a205667a01 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -1355,6 +1355,10 @@ client hello. Note that this should be set only by applications that try to reconnect with a downgraded protocol version. See RFC7507 for details. +@item %VERIFY_ALLOW_BROKEN @tab +will allow signatures with known to be broken algorithms (such as MD5 or +SHA1) in certificate chains. + @item %VERIFY_ALLOW_SIGN_RSA_MD5 @tab will allow RSA-MD5 signatures in certificate chains. diff --git a/lib/priority.c b/lib/priority.c index ade96c730c..a80194fd88 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -862,6 +862,11 @@ static void enable_verify_allow_rsa_md5(gnutls_priority_t c) c->additional_verify_flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5; } +static void enable_verify_allow_broken(gnutls_priority_t c) +{ + c->additional_verify_flags |= + GNUTLS_VERIFY_ALLOW_BROKEN; +} static void disable_crl_checks(gnutls_priority_t c) { c->additional_verify_flags |= diff --git a/lib/priority_options.gperf b/lib/priority_options.gperf index 56c79988fd..0808ffc87a 100644 --- a/lib/priority_options.gperf +++ b/lib/priority_options.gperf @@ -13,6 +13,7 @@ NO_TICKETS, enable_no_tickets NO_ETM, enable_no_etm NO_SESSION_HASH, enable_no_ext_master_secret STATELESS_COMPRESSION, enable_stateless_compression +VERIFY_ALLOW_BROKEN, enable_verify_allow_broken VERIFY_ALLOW_SIGN_RSA_MD5, enable_verify_allow_rsa_md5 VERIFY_DISABLE_CRL_CHECKS, disable_crl_checks SSL3_RECORD_VERSION, enable_ssl3_record_version |