[openssl-users] Hardware client certificates moving to Centos 7

Freemon Johnson freemonj at gmail.com
Wed Sep 27 18:57:04 UTC 2017

Not sure if this helps but the native installation for CentOS7 by default
installs OpenSSL with FIPS mode compiled in which means deprecated
algorithms such as MD5 and the like will not work. If you tried to generate
a certificate you should have received an error or not have seen that
algorithm in your certificate etc.

As others have suggested you will have to end building a version of OpenSSL
with FIPS mode disabled in order to use MD5 unless you can get a version
from the Centos repo mirrors without FIPS.

The default output from "openssl version" in CentOS7

OpenSSL 1.0.1e-fips 11 Feb 2013

On Wed, Sep 27, 2017 at 2:02 PM, Michael Wojcik <
Michael.Wojcik at microfocus.com> wrote:

> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> > Of Jochen Bern
> > Sent: Wednesday, September 27, 2017 06:51
> > To: openssl-users at openssl.org
> > Subject: Re: [openssl-users] Hardware client certificates moving to
> Centos 7
> >
> > I don't know offhand which OpenSSL versions did away with MD5, but you
> > *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
> > straight off CentOS 7 repos:
> Ugh. No need for 0.9.8e (which is from, what, the early Industrial
> Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't
> disabled in the build configuration. I think Stuart is dealing with an
> OpenSSL build that had MD5 disabled in the Configure step.
> Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default
> configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4,
> MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and
> Whirlpool.
> That's just for digests, obviously; but the point is the MD5 support is
> still there. And yes, 1.0.2j can handle certificates with
> md5WithRsaEncryption signatures.
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170927/cd691d1c/attachment.html>

More information about the openssl-users mailing list