ooookkkk; it explains it all :) Thanks so much for your time looking into this, it is very helpful — Thierry > On 13 Jan 2017, at 16:47, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > > On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote: > >> Thanks Viktor for your feedback >> >> Well, the 2 certificates are embedded in the python code as PEM; I am >> attaching them again here as plain files if that helps > > The leaf certificate is signed with RSA+MD5: > > $ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:' > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: md5WithRSAEncryption > Issuer: CN=onelab.inria > Validity > Not Before: Aug 18 13:30:49 2014 GMT > Not After : Aug 17 13:30:49 2019 GMT > Subject: CN=onelab.inria.thierry_parmentelat > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (1024 bit) > Modulus: > Exponent: 35 (0x23) > X509v3 extensions: > X509v3 Basic Constraints: critical > X509v3 Subject Alternative Name: > URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a > Signature Algorithm: md5WithRSAEncryption > >> In terms of versioning, on one box that exhibits the issue of returning -1, I have this: >> >> # cat /etc/fedora-release >> Fedora release 24 (Twenty Four) > > Redhat is removing support for MD5 signatures from their OpenSSL > builds. From a recent email from them to the OpenSSL team: > > We (Red Hat Enterprise Linux developers) decided to disable > support for verification of signatures with MD4, MD5, and SHA0 > hashes in openssl library in Red Hat Enterprise Linux 6 and > newer and in Fedora. ... > > Your 5 year MD5 certificate is getting stale, time to use something > a bit more current. Also its rather small exponent (35) is very > unwise. While not quite as bad as 3, it may be open to attack. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
