Re: [openssl-users] Hardware client certificates moving to Centos 7

Thu, 28 Sep 2017 12:08:07 -0700 


On 09/28/2017 01:25 PM, Stuart Marsden wrote:

Hi


thanks for all the comments and suggestions, especially the ones I 
could understand


centos 7
yum upgrade

openssl version gives:

OpenSSL 1.0.2k-fips  26 Jan 2017


it looks like

echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings


allows the reading of Md5 Client certificates (which are still being 
installed in "not released yet" phones)



I am almost concerned this is being done intentionally to meet some 
security downgrade requirement.  I the more reason to only use this cert 
to bootstrap your own cert for the actual management.





That is a week of my life I wont get back

thanks again

Stuart



On 27 Sep 2017, at 19:02, Michael Wojcik 
<michael.woj...@microfocus.com 
<mailto:michael.woj...@microfocus.com>> wrote:



From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jochen Bern
Sent: Wednesday, September 27, 2017 06:51
To: openssl-users@openssl.org <mailto:openssl-users@openssl.org>

Subject: Re: [openssl-users] Hardware client certificates moving to 
Centos 7


I don't know offhand which OpenSSL versions did away with MD5, but you
*can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
straight off CentOS 7 repos:



Ugh. No need for 0.9.8e (which is from, what, the early Industrial 
Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it 
wasn't disabled in the build configuration. I think Stuart is dealing 
with an OpenSSL build that had MD5 disabled in the Configure step.



Heck, MD4 and MDC2 are still available in 1.0.2 - even with the 
default configuration, I believe. I'm looking at 1.0.2j here and it 
has GOST, MD4, MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard 
lengths), and Whirlpool.



That's just for digests, obviously; but the point is the MD5 support 
is still there. And yes, 1.0.2j can handle certificates with 
md5WithRsaEncryption signatures.


--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




Dr Stuart Marsden
*Tel:* +44 (0)1494 414100
*Email:* stu...@myphones.com <mailto:stu...@myphones.com>

Altos Banner






-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users























					Reply via email to