Hi,

I noticed that the curl command line tool on Linux is accepting MD5
certificates and couldn't figure out how to disable this behavior. For my
test setup, I created a ca certificate signed with sha256WithRSAEncryption
and a server cert with md5WithRSAEncryption and ran 'curl
https://mydomain.com/ --cacert ca.crt' which would happily connect to the
server.
Even though no CA is issuing MD5 certs anymore (I hope), this still poses a
security risk if an attacker is in possession of an expired rogue CA
certificate similar to [0]. The expiry check can often be bypassed since
many clients synchronize their time with an external source without any
authentication.
Is there a way to disable accepting MD5 certificates? I assume the same
issue applies to the libcurl easy interface as well.

[0] http://www.win.tue.nl/hashclash/rogue-ca/

Thanks,
Stephen

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-09-02