FIPS mode is a policy decision in my opinion also but since RedHat prides itself in security e.g. SELinux, etc. I believe that is a RedHat decision as opposed to the OpenSSL community. The alternative would be to use a different Linux distro like Ubuntu, etc. which does not compile their OpenSSL with FIPS enabled natively to support legacy algorithms.
FYI I am not speaking on behalf of RedHat or OpenSSL. This is all conjecture and my 2 cents :-)
On Wed, Sep 27, 2017 at 3:15 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote:
>> I don't know offhand which OpenSSL versions did away with MD5, but you
>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>> straight off CentOS 7 repos:
>
> Ugh. No need for 0.9.8e (which is from, what, the early Industrial Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't disabled in the build configuration. I think Stuart is dealing with an OpenSSL build that had MD5 disabled in the Configure step.
>
> Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.
Some of those algorithms may still needed for some use cases. For
example, Apple still ships (or used to ship until recently) some
certificates that use MD2. They were present in iOS 7 and 8. Also see
http://seclists.org/fulldisclosure/2013/Sep/184 .
I think the best OpenSSL can for now is allow those who don't need
antique algorithms to disable them at compile time. Otherwise, OpenSSL
is making policy decisions that may not work well for some folks.
Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users