Re: Fwd: F21 nm-openvpn and md5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've tried to add the environment variable as you described below, but it still does not work.

In a virtual machine with F20 I updated the F20 openssl-1.0.1e-40.fc20 to openssl-1.0.1e-40.fc21. After the update I get the error as expected. But after adding "Environment="OPENSSL_ENABLE_MD5_VERIFY=1" to /usr/lib/systemd/system/NetworkManager.service the openvpn connection started to work.

The same change under F21 does not help, I still get the error.

Zoltan


On Wed, Nov 5, 2014 at 7:53 AM, poma <pomidorabelisima@xxxxxxxxx> wrote:
On 04.11.2014 22:57, Zoltan Kota wrote:
> Hi,
>
> With F21 on, openssl has been patched to disallow verification of
> certificates that are signed with MD5 algorithm. Until I get our sysadmins
> generate new keys I should use the workaround described as: "a temporary
> measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to
> allow verification of certificates signed with MD5 algorithm."
>
> On my pre-F21 (test)machine I use gnome with Networkmanager(-openvpn). How
> can I add the above environment variable for Networkmanager?
>

[openssl] disable verification of certificate, CRL, and OCSP signatures using MD5
https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131111/1144043.html

⁠Chapter 28. Networking
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/Known-Issues-Networking.html

openssl component, BZ#1062656
    It is not possible to connect to any Wi-Fi Protected Access (WPA) Enterprise Access Point (AP) that requires MD5-signed certificates. To work around this problem, copy the wpa_supplicant.service file from the /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory and add the following line to the Service section of the file:

    Environment="OPENSSL_ENABLE_MD5_VERIFY"

    Then run the systemctl daemon-reload command as root to reload the service file.

    Important
    Note that MD5 certificates are highly insecure and Red Hat does not recommend using them.


--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test

-- 
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]

  Powered by Linux