[openssl-users] Hardware client certificates moving to Centos 7

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Sep 27 21:12:44 UTC 2017


> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Jeffrey Walton
> Sent: Wednesday, September 27, 2017 13:15
> To: OpenSSL Users
> Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7
> 
> >
> > Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default
> configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, MD5,
> MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.
> 
> Some of those algorithms may still needed for some use cases. For
> example, Apple still ships (or used to ship until recently) some
> certificates that use MD2. They were present in iOS 7 and 8. Also see
> http://seclists.org/fulldisclosure/2013/Sep/184.
> 
> I think the best OpenSSL can for now is allow those who don't need
> antique algorithms to disable them at compile time. Otherwise, OpenSSL
> is making policy decisions that may not work well for some folks.

Oh, definitely. I wasn't suggesting we should get rid of them. Just wanted to point out that it wasn't necessary to go back to a stone-age release of OpenSSL to have them.

Though, as subsequent people pointed out, I did not account for FIPS mode. Why anyone would install a FIPS build by default is beyond me (particularly since the FIPS validation is so picky about OS versions and the like). Though, of course, the application using OpenSSL need not enable FIPS mode...

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 





More information about the openssl-users mailing list