On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote: > Thanks Viktor for your feedback > > Well, the 2 certificates are embedded in the python code as PEM; I am > attaching them again here as plain files if that helps The leaf certificate is signed with RSA+MD5: $ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:' Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: md5WithRSAEncryption Issuer: CN=onelab.inria Validity Not Before: Aug 18 13:30:49 2014 GMT Not After : Aug 17 13:30:49 2019 GMT Subject: CN=onelab.inria.thierry_parmentelat Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: Exponent: 35 (0x23) X509v3 extensions: X509v3 Basic Constraints: critical X509v3 Subject Alternative Name: URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a Signature Algorithm: md5WithRSAEncryption > In terms of versioning, on one box that exhibits the issue of returning -1, I have this: > > # cat /etc/fedora-release > Fedora release 24 (Twenty Four) Redhat is removing support for MD5 signatures from their OpenSSL builds. From a recent email from them to the OpenSSL team: We (Red Hat Enterprise Linux developers) decided to disable support for verification of signatures with MD4, MD5, and SHA0 hashes in openssl library in Red Hat Enterprise Linux 6 and newer and in Fedora. ... Your 5 year MD5 certificate is getting stale, time to use something a bit more current. Also its rather small exponent (35) is very unwise. While not quite as bad as 3, it may be open to attack. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users