If I do "openssl x509 -in mycert.crt -text" I see "Signature Algorithm: sha1WithRSAEncryption". There's no mention of MD5 here but since OpenSSL is attempting to load it, I assume it's using the MD5-SHA1 combination. If that *is* permitted, why am I getting the "disabled for FIPS" error?
Graeme -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, July 26, 2013 7:39 AM To: openssl-users@openssl.org Subject: Re: Using MD5 certificates in OpenSSL FIPS On Fri, Jul 26, 2013, Carl Young wrote: > As far as I remember, the use of MD5 is only allowed in TLS 1 for the > specific use within the PRF for key generation as the __combination__ of > SHA-1 and MD5 is not considered weak usage. Use of MD5 elsewhere is still > disallowed. > It is also permitted with the MD5+SHA1 combined RSA signature again because the combination is not considered weak. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
