Bug 1158767

Summary: RELNOTES - Certificates signed with MD5 algorithm are now rejected
Product: [Fedora] Fedora Documentation Reporter: Tomas Mraz <tmraz>
Component: release-notesAssignee: Pete Travis <me>
Status: CLOSED CURRENTRELEASE QA Contact: Cristian Ciupitu <cristian.ciupitu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: develCC: cristian.ciupitu, me, relnotes, wb8rcr, zach
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-14 20:14:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 168083    

Description Tomas Mraz 2014-10-30 08:00:50 UTC
OpenSSL was patched to disallow verification of certificates that are signed with MD5 algorithm. The use of MD5 hash algorithm for certificate signatures is now considered as insecure and thus all the main crypto libraries in Fedora were patched to reject such certificates.

Certificates signed with MD5 algorithm are not present on public https web sites anymore but they can be still in use on private networks or used for authentication on openvpn based VPNs such as in bug 1157260. It is highly recommended to replace such certificates with new ones signed with SHA256 or at least SHA1. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.

Comment 1 Pete Travis 2014-12-06 18:11:59 UTC
Thanks Tomas, noted in https://git.fedorahosted.org/cgit/docs/release-notes.git/commit/?id=b62fd2f437813d9fb95d770a0a0bfce21256fd2a and .  You explained it well, so I shamelessly took your copy :)

Comment 2 Pete Travis 2015-05-14 20:14:40 UTC
This was done!