Bug 1335914
| Summary: | Disable the MD5 as a signing algorithm in openssl library | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Nikos Mavrogiannopoulos <nmavrogi> | |
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> | |
| Status: | CLOSED ERRATA | QA Contact: | Stanislav Zidek <szidek> | |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> | |
| Priority: | unspecified | |||
| Version: | 6.9 | CC: | bk.aihg, szidek, tmraz | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openssl-1.0.1e-51.el6 | Doc Type: | Deprecated Functionality | |
| Doc Text: |
MD5, MD4, and SHA0 as the signing algorithms in *OpenSSL* disabled
With this update, support for the verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures is removed.
The system administrator can enable MD5, MD4, or SHA0 support by modifying the "LegacySigningMDs" option in the `etc/pki/tls/legacy-settings` policy configuration file, for example:
echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings
You can also enable the MD5 verification by setting the "OPENSSL_ENABLE_MD5_VERIFY" environment variable.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1335915 (view as bug list) | Environment: | ||
| Last Closed: | 2017-03-21 10:11:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1335911, 1343211 | |||
|
Description
Nikos Mavrogiannopoulos
2016-05-13 14:22:41 UTC
I've found that it was possible to verify also certificates using MD2, MD4, and SHA0, I've disabled these together with MD5. The system administrator can re-enable some of them with echo 'LegacySigningMDs md5 md4' >> /etc/pki/tls/legacy-settings For MD5 it is also possible to enable it by setting environment variable OPENSSL_ENABLE_MD5_VERIFY to any value (same method as in RHEL-7). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0660.html Hi, The option to enable MD4 in legacy does not work when fips is enabled. Any workaround for that? I am trying to connect to exchange which uses NTLM protocol and NTLM protocol uses MD4 and using fips is compliance. So I need to allow md4 hashing and at the same time enable fips as we well. I am using redhat7. Thanks, BK The legacy algorithms handling for signature verification is completely unrelated to the general disablement of MD4 in FIPS mode. There is a way how to use MD4 from openssl in FIPS mode but that requires the application to use a specific API call from openssl to mark the MD4 use as non-security relevant. There is no way around that from system administrator side. Thank you Tomas. Could you please direct me to the specific API call from openssl. I was not able to find it. Even this does not work ... openssl dgst -non-fips-allow -md4 <<fielname>> I will open this up with openssl as well, but if you have anything handy that would be a huge help. Thanks, BK This is an API call, not a command line option. I understand. Could you please let me know the API from openssl. Thanks, BK |