Re: Hardware client certificates moving to Centos 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Not sure if this helps but the native installation for CentOS7 by default installs OpenSSL with FIPS mode compiled in which means deprecated algorithms such as MD5 and the like will not work. If you tried to generate a certificate you should have received an error or not have seen that algorithm in your certificate etc. 

As others have suggested you will have to end building a version of OpenSSL with FIPS mode disabled in order to use MD5 unless you can get a version from the Centos repo mirrors without FIPS. 

The default output from "openssl version" in CentOS7

OpenSSL 1.0.1e-fips 11 Feb 2013


On Wed, Sep 27, 2017 at 2:02 PM, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
> From: openssl-users [mailto:openssl-users-bounces@openssl.org] On Behalf
> Of Jochen Bern
> Sent: Wednesday, September 27, 2017 06:51
> To: openssl-users@xxxxxxxxxxx
> Subject: Re: Hardware client certificates moving to Centos 7
>
> I don't know offhand which OpenSSL versions did away with MD5, but you
> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
> straight off CentOS 7 repos:

Ugh. No need for 0.9.8e (which is from, what, the early Industrial Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't disabled in the build configuration. I think Stuart is dealing with an OpenSSL build that had MD5 disabled in the Configure step.

Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.

That's just for digests, obviously; but the point is the MD5 support is still there. And yes, 1.0.2j can handle certificates with md5WithRsaEncryption signatures.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux