[openssl-users] troubleshooting a puzzling issue
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Jan 13 15:47:34 UTC 2017
On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote:
> Thanks Viktor for your feedback
>
> Well, the 2 certificates are embedded in the python code as PEM; I am
> attaching them again here as plain files if that helps
The leaf certificate is signed with RSA+MD5:
$ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:'
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=onelab.inria
Validity
Not Before: Aug 18 13:30:49 2014 GMT
Not After : Aug 17 13:30:49 2019 GMT
Subject: CN=onelab.inria.thierry_parmentelat
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
Exponent: 35 (0x23)
X509v3 extensions:
X509v3 Basic Constraints: critical
X509v3 Subject Alternative Name:
URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a
Signature Algorithm: md5WithRSAEncryption
> In terms of versioning, on one box that exhibits the issue of returning -1, I have this:
>
> # cat /etc/fedora-release
> Fedora release 24 (Twenty Four)
Redhat is removing support for MD5 signatures from their OpenSSL
builds. From a recent email from them to the OpenSSL team:
We (Red Hat Enterprise Linux developers) decided to disable
support for verification of signatures with MD4, MD5, and SHA0
hashes in openssl library in Red Hat Enterprise Linux 6 and
newer and in Fedora. ...
Your 5 year MD5 certificate is getting stale, time to use something
a bit more current. Also its rather small exponent (35) is very
unwise. While not quite as bad as 3, it may be open to attack.
--
Viktor.
More information about the openssl-users
mailing list