We have a client-server application architecture in which self-signed certificates are used for communication. To address heart-bleed vulnerability, in our latest product release we upgraded OpenSSL on the agent to version 1.0.1g.
After our product upgrade, few of our customers started complaining that agents using legacy certificates with MD5withRSAEncryption as Signature Algorithm, are failing to communicate with the server. But if they downgrade our product to older version where we use openssl version 1.0.1e, it is able to communicate successfully with same server using same legacy certificate. Is the support for MD5 as signature algorithm has been dropped in latest version of OpenSSL? If yes, from which version this support has been dropped? Change log does not specifically mentions dropping of support for MD5 encryption. Found below link which suggests support has been dropped but does not mentions which version of OpenSSL. http://rt.openssl.org/Ticket/Display.html?id=3059&user=guest&pass=guest Any help is appreciated. -- Regards, Yogesh
