|
Hi,
For reasons beyond my control, I need to allow client certificate authentication with certificates that are signed with SHA1 (I know -- don't ask). Upon installing Apache from Debian 10 "buster" and installing the CA certificate under SSLCACertificateFile,
however, I get the following:
[Wed Oct 23 11:41:23.336834 2019] [ssl:info] [pid 7424] [client 172.16.57.80:38728] AH02276: Certificate Verification: Error (68): CA signature digest algorithm too weak [....certificate details snipped for privacy....]
I know that SHA1 is insecure these days, but I have no control over the algorithms used in this particular CA, and I need to be able to use it.
I tried disabling TLSv1.3 and setting the value of SSLCipherSuite to "HIGH:SHA1", but to no effect.
Anyone have any idea if it's possible to relax the requirements for client CAs somehow?
(Debian buster comes with httpd 2.4.38 and OpenSSL 1.1.1d)
Thanks,
|
|