On 05.11.2014 14:55, Zoltan Kota wrote: > I've tried to add the environment variable as you described below, but it > still does not work. > Quote, not description. :) Send sysadmins chocolates and flowers. > In a virtual machine with F20 I updated the F20 openssl-1.0.1e-40.fc20 to > openssl-1.0.1e-40.fc21. After the update I get the error as expected. But > after adding "Environment="OPENSSL_ENABLE_MD5_VERIFY=1" to > /usr/lib/systemd/system/NetworkManager.service the openvpn connection > started to work. > > The same change under F21 does not help, I still get the error. > > Zoltan > > > On Wed, Nov 5, 2014 at 7:53 AM, poma <pomidorabelisima@xxxxxxxxx> wrote: > >> On 04.11.2014 22:57, Zoltan Kota wrote: >>> Hi, >>> >>> With F21 on, openssl has been patched to disallow verification of >>> certificates that are signed with MD5 algorithm. Until I get our >> sysadmins >>> generate new keys I should use the workaround described as: "a temporary >>> measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to >>> allow verification of certificates signed with MD5 algorithm." >>> >>> On my pre-F21 (test)machine I use gnome with Networkmanager(-openvpn). >> How >>> can I add the above environment variable for Networkmanager? >>> >> >> [openssl] disable verification of certificate, CRL, and OCSP signatures >> using MD5 >> >> https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20131111/1144043.html >> >> Chapter 28. Networking >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/Known-Issues-Networking.html >> >> openssl component, BZ#1062656 >> It is not possible to connect to any Wi-Fi Protected Access (WPA) >> Enterprise Access Point (AP) that requires MD5-signed certificates. To work >> around this problem, copy the wpa_supplicant.service file from the >> /usr/lib/systemd/system/ directory to the /etc/systemd/system/ directory >> and add the following line to the Service section of the file: >> >> Environment="OPENSSL_ENABLE_MD5_VERIFY" >> >> Then run the systemctl daemon-reload command as root to reload the >> service file. >> >> Important >> Note that MD5 certificates are highly insecure and Red Hat does not >> recommend using them. >> >> >> -- >> test mailing list >> test@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe: >> https://admin.fedoraproject.org/mailman/listinfo/test > > > -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
