[openssl-users] Hardware client certificates moving to Centos 7

Freemon Johnson freemonj at gmail.com
Wed Sep 27 20:10:22 UTC 2017


FIPS mode is a policy decision in my opinion also but since RedHat prides
itself in security e.g. SELinux, etc. I believe that is a RedHat decision
as opposed to the OpenSSL community. The alternative would be to use a
different Linux distro like Ubuntu, etc. which does not compile their
OpenSSL with FIPS enabled natively to support legacy algorithms.

*FYI I am not speaking on behalf of RedHat or OpenSSL.* This is all
conjecture and my 2 cents :-)

On Wed, Sep 27, 2017 at 3:15 PM, Jeffrey Walton <noloader at gmail.com> wrote:

> >> I don't know offhand which OpenSSL versions did away with MD5, but you
> >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
> >> straight off CentOS 7 repos:
> >
> > Ugh. No need for 0.9.8e (which is from, what, the early Industrial
> Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't
> disabled in the build configuration. I think Stuart is dealing with an
> OpenSSL build that had MD5 disabled in the Configure step.
> >
> > Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default
> configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4,
> MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and
> Whirlpool.
>
> Some of those algorithms may still needed for some use cases. For
> example, Apple still ships (or used to ship until recently) some
> certificates that use MD2. They were present in iOS 7 and 8. Also see
> http://seclists.org/fulldisclosure/2013/Sep/184.
>
> I think the best OpenSSL can for now is allow those who don't need
> antique algorithms to disable them at compile time. Otherwise, OpenSSL
> is making policy decisions that may not work well for some folks.
>
> Jeff
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170927/3dcacb20/attachment-0001.html>


More information about the openssl-users mailing list