[openssl-users] Hardware client certificates moving to Centos 7

Stuart Marsden stuart at myphones.com
Thu Sep 28 17:25:18 UTC 2017


thanks for all the comments and suggestions, especially the ones I could understand

centos 7
yum upgrade

openssl version gives:

OpenSSL 1.0.2k-fips  26 Jan 2017

it looks like 

echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings

allows the reading of Md5 Client certificates (which are still being installed in "not released yet" phones)

That is a week of my life I wont get back

thanks again


> On 27 Sep 2017, at 19:02, Michael Wojcik <Michael.Wojcik at microfocus.com> wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
>> Of Jochen Bern
>> Sent: Wednesday, September 27, 2017 06:51
>> To: openssl-users at openssl.org
>> Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7
>> I don't know offhand which OpenSSL versions did away with MD5, but you
>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>> straight off CentOS 7 repos:
> Ugh. No need for 0.9.8e (which is from, what, the early Industrial Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't disabled in the build configuration. I think Stuart is dealing with an OpenSSL build that had MD5 disabled in the Configure step.
> Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.
> That's just for digests, obviously; but the point is the MD5 support is still there. And yes, 1.0.2j can handle certificates with md5WithRsaEncryption signatures.
> -- 
> Michael Wojcik 
> Distinguished Engineer, Micro Focus 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Dr Stuart Marsden
Tel: +44 (0)1494 414100 
Email: stuart at myPhones.com <mailto:stuart at myPhones.com> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170928/1775b34d/attachment.html>

More information about the openssl-users mailing list