Re: Hardware client certificates moving to Centos 7

Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> · Thu, 28 Sep 2017 15:04:53 -0400



    On 09/28/2017 01:25 PM, Stuart Marsden
      wrote:

    
      Hi
      

      thanks for all the comments and suggestions,
        especially the ones I could understand
      

      centos 7
      yum upgrade
      

        openssl version gives:
        

        OpenSSL 1.0.2k-fips  26 Jan
            2017
      
      
      it looks like 
      

        echo 'LegacySigningMDs md5'
            >> /etc/pki/tls/legacy-settings
      
      
      allows the reading of Md5 Client
          certificates (which are still being installed in "not released
          yet" phones)
    
    
    I am almost concerned this is being done intentionally to meet some
    security downgrade requirement.  I the more reason to only use this
    cert to bootstrap your own cert for the actual management.

    
      That is a week of my life I wont
          get back
      

      thanks again
      

      Stuart
      

            On 27 Sep 2017, at 19:02, Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>
              wrote:
            

                From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx]
                  On Behalf

                  Of Jochen Bern

                  Sent: Wednesday, September 27, 2017 06:51

                  To: openssl-users@xxxxxxxxxxx

                  Subject: Re:  Hardware client
                  certificates moving to Centos 7

                  
                  I don't know offhand which OpenSSL versions did away
                  with MD5, but you

                  *can* install an 0.9.8e (+ RHEL/CentOS backported
                  security patches)

                  straight off CentOS 7 repos:

                
                Ugh. No need for 0.9.8e (which is from, what, the early
                Industrial Revolution?). MD5 is still available in
                OpenSSL 1.0.2, assuming it wasn't disabled in the build
                configuration. I think Stuart is dealing with an OpenSSL
                build that had MD5 disabled in the Configure step.

                
                Heck, MD4 and MDC2 are still available in 1.0.2 - even
                with the default configuration, I believe. I'm looking
                at 1.0.2j here and it has GOST, MD4, MD5, MDC2,
                RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and
                Whirlpool.

                
                That's just for digests, obviously; but the point is the
                MD5 support is still there. And yes, 1.0.2j can handle
                certificates with md5WithRsaEncryption signatures.

                
                -- 

                Michael Wojcik 

                Distinguished Engineer, Micro Focus 

                
                -- 

                openssl-users mailing list

                To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

                
          Dr Stuart Marsden

          Tel: +44 (0)1494 414100 

          Email: stuart@xxxxxxxxxxxx
          

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users