2017-07-12 8:35 GMT+02:00 Wouter Verhelst :
> On 11-07-17 23:44, Salz, Rich via openssl-users wrote:
> >> It's very well worth the effort, otherwise there's a security issue,
> because certificates can be forged.
> >
> > No they cannot.
> >
> > What *has* been done is a document was created with "
2017-07-10 19:30 GMT+02:00 Michael Wojcik :
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Niklas Keller
> > Sent: Monday, July 10, 2017 11:12
> > To: openssl-users@openssl.org
> > Subject: Re: [openssl-users] Rejecting SHA-1 certific
>
> > On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote:
> >
> >
> > What's the best way / a working way to reject weak signature schemes in
> OpenSSL 1.0.{1,2}?
>
> Most CAs have stopped issuing SHA-1 certificates. Any old ones will
> expire ov
Morning,
I'm currently trying to reject certificate chains which rely on MD5 and
SHA-1 for signatures. I found SSL_get0_verified_chain which could be used
to walk the chain and reject if there's any MD5 / SHA-1 certificate in
there, except for the last one, which is trusted because of the public k
