I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Since, I do not know of any specific checks added for this in Apache, I assume that openssl updated its verification implementation. The command line should let you verify that. If this is the case, question would be if some openssl config parameter can disable that for you. I think there are some people around here who should be able to find that out, once you have verified that with your certs. Cheers, Stefan > Am 23.10.2019 um 11:49 schrieb Wouter Verhelst <Wouter.Verhelst > @zetes.com>: > > Hi, > > For reasons beyond my control, I need to allow client certificate authentication with certificates that are signed with SHA1 (I know -- don't ask). Upon installing Apache from Debian 10 "buster" and installing the CA certificate under SSLCACertificateFile, however, I get the following: > > [Wed Oct 23 11:41:23.336834 2019] [ssl:info] [pid 7424] [client 172.16.57.80:38728] AH02276: Certificate Verification: Error (68): CA signature digest algorithm too weak [....certificate details snipped for privacy....] > > I know that SHA1 is insecure these days, but I have no control over the algorithms used in this particular CA, and I need to be able to use it. > > I tried disabling TLSv1.3 and setting the value of SSLCipherSuite to "HIGH:SHA1", but to no effect. > > Anyone have any idea if it's possible to relax the requirements for client CAs somehow? > > (Debian buster comes with httpd 2.4.38 and OpenSSL 1.1.1d) > > Thanks, --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|