[openssl-users] troubleshooting a puzzling issue

Thierry Parmentelat thierry.parmentelat at inria.fr
Fri Jan 13 15:52:05 UTC 2017 

ooookkkk; it explains it all :)

Thanks so much for your time looking into this, it is very helpful — Thierry 


> On 13 Jan 2017, at 16:47, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> 
> On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote:
> 
>> Thanks Viktor for your feedback
>> 
>> Well, the 2 certificates are embedded in the python code as PEM; I am
>> attaching them again here as plain files if that helps
> 
> The leaf certificate is signed with RSA+MD5:
> 
>    $ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:'
>    Certificate:
> 	Data:
> 	    Version: 3 (0x2)
> 	    Serial Number: 3 (0x3)
> 	Signature Algorithm: md5WithRSAEncryption
> 	    Issuer: CN=onelab.inria
> 	    Validity
> 		Not Before: Aug 18 13:30:49 2014 GMT
> 		Not After : Aug 17 13:30:49 2019 GMT
> 	    Subject: CN=onelab.inria.thierry_parmentelat
> 	    Subject Public Key Info:
> 		Public Key Algorithm: rsaEncryption
> 		    Public-Key: (1024 bit)
> 		    Modulus:
> 		    Exponent: 35 (0x23)
> 	    X509v3 extensions:
> 		X509v3 Basic Constraints: critical
> 		X509v3 Subject Alternative Name:
> 		    URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a
> 	Signature Algorithm: md5WithRSAEncryption
> 
>> In terms of versioning, on one box that exhibits the issue of returning -1, I have this:
>> 
>> # cat /etc/fedora-release
>> Fedora release 24 (Twenty Four)
> 
> Redhat is removing support for MD5 signatures from their OpenSSL
> builds.  From a recent email from them to the OpenSSL team:
> 
>    We (Red Hat Enterprise Linux developers) decided to disable
>    support for verification of signatures with MD4, MD5, and SHA0
>    hashes in openssl library in Red Hat Enterprise Linux 6 and
>    newer and in Fedora. ...
> 
> Your 5 year MD5 certificate is getting stale, time to use something
> a bit more current.  Also its rather small exponent (35) is very
> unwise.  While not quite as bad as 3, it may be open to attack.
> 
> -- 
> 	Viktor.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list