<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 09/28/2017 01:25 PM, Stuart Marsden
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:D6F2782C-27B7-44BB-A95F-ACF620ECFC6B@myphones.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Hi
<div class=""><br class="">
</div>
<div class="">thanks for all the comments and suggestions,
especially the ones I could understand</div>
<div class=""><br class="">
</div>
<div class="">centos 7</div>
<div class="">yum upgrade</div>
<div class=""><br class="">
</div>
<div class="">
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">openssl version gives:</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">OpenSSL 1.0.2k-fips 26 Jan
2017</span></div>
</div>
<div class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">it looks like </span></div>
<div class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div class="">
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">echo 'LegacySigningMDs md5'
>> /etc/pki/tls/legacy-settings</span></div>
</div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">allows the reading of Md5 Client
certificates (which are still being installed in "not released
yet" phones)</span></div>
</blockquote>
<br>
I am almost concerned this is being done intentionally to meet some
security downgrade requirement. I the more reason to only use this
cert to bootstrap your own cert for the actual management.<br>
<br>
<br>
<blockquote type="cite"
cite="mid:D6F2782C-27B7-44BB-A95F-ACF620ECFC6B@myphones.com">
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">That is a week of my life I wont
get back</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">thanks again</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class=""><br class="">
</span></div>
<div style="margin: 0px; font-size: 11px; line-height: normal;
font-family: Menlo; background-color: rgb(255, 255, 255);"
class=""><span style="font-variant-ligatures:
no-common-ligatures" class="">Stuart</span></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On 27 Sep 2017, at 19:02, Michael Wojcik <<a
href="mailto:Michael.Wojcik@microfocus.com" class=""
moz-do-not-send="true">Michael.Wojcik@microfocus.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">
<blockquote type="cite" class="">From: openssl-users [<a
href="mailto:openssl-users-bounces@openssl.org"
class="" moz-do-not-send="true">mailto:openssl-users-bounces@openssl.org</a>]
On Behalf<br class="">
Of Jochen Bern<br class="">
Sent: Wednesday, September 27, 2017 06:51<br class="">
To: <a href="mailto:openssl-users@openssl.org"
class="" moz-do-not-send="true">openssl-users@openssl.org</a><br
class="">
Subject: Re: [openssl-users] Hardware client
certificates moving to Centos 7<br class="">
<br class="">
I don't know offhand which OpenSSL versions did away
with MD5, but you<br class="">
*can* install an 0.9.8e (+ RHEL/CentOS backported
security patches)<br class="">
straight off CentOS 7 repos:<br class="">
</blockquote>
<br class="">
Ugh. No need for 0.9.8e (which is from, what, the early
Industrial Revolution?). MD5 is still available in
OpenSSL 1.0.2, assuming it wasn't disabled in the build
configuration. I think Stuart is dealing with an OpenSSL
build that had MD5 disabled in the Configure step.<br
class="">
<br class="">
Heck, MD4 and MDC2 are still available in 1.0.2 - even
with the default configuration, I believe. I'm looking
at 1.0.2j here and it has GOST, MD4, MD5, MDC2,
RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and
Whirlpool.<br class="">
<br class="">
That's just for digests, obviously; but the point is the
MD5 support is still there. And yes, 1.0.2j can handle
certificates with md5WithRsaEncryption signatures.<br
class="">
<br class="">
-- <br class="">
Michael Wojcik <br class="">
Distinguished Engineer, Micro Focus <br class="">
<br class="">
<br class="">
<br class="">
-- <br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a
href="https://mta.openssl.org/mailman/listinfo/openssl-users"
class="" moz-do-not-send="true">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br
class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
<div class="">
<br class="">
<big class=""><big class="">Dr Stuart Marsden</big></big><br
class="">
<b class="">Tel:</b> +44 (0)1494 414100 <br class="">
<b class="">Email:</b> <a href="mailto:stuart@myPhones.com"
class="" moz-do-not-send="true">stuart@myPhones.com</a>
<br class="">
<br class="">
<img alt="Altos Banner"
src="http://provision.myphones.net/emailfooter2.png"
class="" moz-do-not-send="true">
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>