Bug 1265434
| Summary: | openssl crl verification error | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Tim Mooney <mooney> |
| Component: | doc-Security_Guide | Assignee: | Mirek Jahoda <mjahoda> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | mooney, rkratky |
| Target Milestone: | rc | Keywords: | Documentation, Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-06 09:43:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Can you please use Red Hat Support contact to report the issue? It is needed to properly prioritize the fix. http://www.redhat.com/en/services/support After inspection of the CRL the issue is apparent - the CRL is signed with MD5 hash and that is an insecure algorithm for signatures. Verification of signatures with MD5 hash is disabled by default in the RHEL-7. That's a fine security change, but is it documented anywhere? It's not mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes. How is a customer supposed to know about this change, if it's not documented? Shouldn't this be reassigned to the documentation team? Reassigning all of my bugs to the new DPM Tomas Capek. (In reply to Tim Mooney from comment #4) > That's a fine security change, but is it documented anywhere? It's not > mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes. > > How is a customer supposed to know about this change, if it's not documented? > > Shouldn't this be reassigned to the documentation team? Hello Tim, you can find the mention in the RHEL 7.0 Release Notes [1] and we will put this change also in the 7.1/7.2 Release Notes. I've just added the admonition at the end of the section Verifying Certificates in the RHEL7 Security Guide (should be published on the RH Customer Portal in a couple of days). Have a nice day, --Mirek [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/Known-Issues-Networking.html The solution is published on the Red Hat Customer Portal: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Verifying_Certificates (closing the bug) |
Description of problem: Using "openssl crl" on Red Hat Enterprise Linux 7 fails to verify the CRL. The exact same command with the same CA and CRL files works on earlier versions of RHEL. Version-Release number of selected component (if applicable): openssl-1.0.1e-42.el7_1.9.x86_64 How reproducible: Always Steps to Reproduce: Execute the following with a CA and a CRL in PEM format: openssl crl -CAfile RootCA2013.pem -in revokeRootCA2013.pem Actual results: No output, and the verification fails. Expected results: The same results as using openssl on RHEL 5.x and 6.x: $ openssl crl -CAfile RootCA2013.pem -in revokeRootCA2013.pem verify OK -----BEGIN X509 CRL----- MIIB0TCBujANBgkqhkiG9w0BAQQFADCBijEdMBsGA1UEAwwUTkRTVSBFUyBSb290 IENBIDIwMTMxJjAkBgNVBAoMHU5vcnRoIERha290YSBTdGF0ZSBVbml2ZXJzaXR5 MQ0wCwYDVQQLDARWUElUMQ4wDAYDVQQHDAVGYXJnbzEVMBMGA1UECAwMTm9ydGgg RGFrb3RhMQswCQYDVQQGEwJVUxcNMTMwNzA5MjI0MjAyWhcNNDMwNzAyMjI0MjAy WjANBgkqhkiG9w0BAQQFAAOCAQEAc8jJvNcQ68LKe85e7+PV9NalP5lpKiaXFWpk ughxuXa0J2JIOSKAppYQ4e1ipD7yXnM1BWv3ABvTC+Ov5IEr4GD3sMpyYw9zGciM vwjgZE375WRGIqt2ld1lxtxivj7qeGPa900T+Dan6CGzBmLH5vKdEYPddUUTLW3+ JPK3gDAKPemjdyZvFuOqSDphvKFT1Luc4ohTE3eKJ6dc1q0be4ziqtSAuJydRIiX VBQq3h7e8ZgKOp1GxNrI05gUe8dJZ7PynO61fChhPiH0auwVt3YKDOWoM7iyhmPl rBKhZyChKQa3tXvNgPWNlARRvEpyZIBGZrOfWrQq6KRkjVsiag== -----END X509 CRL----- Note: despite nearly identical package versions between RHEL 6.x and RHEL 7.x, the verification fails on RHEL 7 but works on RHEL 6. Additional info: This is probably caused by the bug that Steven Henson confirms in this thread: http://comments.gmane.org/gmane.comp.encryption.openssl.user/50507