Workaround for "SSL_CTX_use_certificate:ca md too weak"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi everyone,

I'm upgrading a server application from using OpenSSL 1.0.2n to using OpenSSL 1.1.0g.
I noticed that after the upgrade, some SSL certs get rejected because they use an MD5 digest, with the error:
"SSL_CTX_use_certificate:ca md too weak"

While I could ask clients to get a better CA certificate, it takes some of them a long time to do so. I was wondering if there's a way I could compile/configure the OpenSSL on my server to accept those certificates after all. Does anyone know?

I found links such as:
https://mta.openssl.org/pipermail/openssl-users/2017-October/006670.html
and
https://www.spinics.net/lists/openssl-users/msg06669.html
and a few others but they don't apply to my case I think.

Also, if the client does find it possible to get re-generated certs, would it be both the client cert and the CA? Or just one of them?

Thanks in advance!
Best,
Pratyush
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux