[openssl-users] Hardware client certificates moving to Centos 7

Robert Moskowitz rgm at htt-consult.com
Thu Sep 28 19:04:53 UTC 2017



On 09/28/2017 01:25 PM, Stuart Marsden wrote:
> Hi
>
> thanks for all the comments and suggestions, especially the ones I 
> could understand
>
> centos 7
> yum upgrade
>
> openssl version gives:
>
> OpenSSL 1.0.2k-fips  26 Jan 2017
>
>
> it looks like
>
> echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings
>
> allows the reading of Md5 Client certificates (which are still being 
> installed in "not released yet" phones)

I am almost concerned this is being done intentionally to meet some 
security downgrade requirement.  I the more reason to only use this cert 
to bootstrap your own cert for the actual management.


>
> That is a week of my life I wont get back
>
> thanks again
>
> Stuart
>
>
>> On 27 Sep 2017, at 19:02, Michael Wojcik 
>> <Michael.Wojcik at microfocus.com 
>> <mailto:Michael.Wojcik at microfocus.com>> wrote:
>>
>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>>> Of Jochen Bern
>>> Sent: Wednesday, September 27, 2017 06:51
>>> To: openssl-users at openssl.org <mailto:openssl-users at openssl.org>
>>> Subject: Re: [openssl-users] Hardware client certificates moving to 
>>> Centos 7
>>>
>>> I don't know offhand which OpenSSL versions did away with MD5, but you
>>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>>> straight off CentOS 7 repos:
>>
>> Ugh. No need for 0.9.8e (which is from, what, the early Industrial 
>> Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it 
>> wasn't disabled in the build configuration. I think Stuart is dealing 
>> with an OpenSSL build that had MD5 disabled in the Configure step.
>>
>> Heck, MD4 and MDC2 are still available in 1.0.2 - even with the 
>> default configuration, I believe. I'm looking at 1.0.2j here and it 
>> has GOST, MD4, MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard 
>> lengths), and Whirlpool.
>>
>> That's just for digests, obviously; but the point is the MD5 support 
>> is still there. And yes, 1.0.2j can handle certificates with 
>> md5WithRsaEncryption signatures.
>>
>> -- 
>> Michael Wojcik
>> Distinguished Engineer, Micro Focus
>>
>>
>>
>> -- 
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
> Dr Stuart Marsden
> *Tel:* +44 (0)1494 414100
> *Email:* stuart at myPhones.com <mailto:stuart at myPhones.com>
>
> Altos Banner
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170928/9c4671fa/attachment.html>


More information about the openssl-users mailing list