Bug 1158767 - RELNOTES - Certificates signed with MD5 algorithm are now rejected
RELNOTES - Certificates signed with MD5 algorithm are now rejected
Status: CLOSED CURRENTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: release-notes (Show other bugs)
devel
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Pete Travis
Cristian Ciupitu
:
Depends On:
Blocks: fc5-relnotes-traqr
  Show dependency treegraph
 
Reported: 2014-10-30 04:00 EDT by Tomas Mraz
Modified: 2015-05-14 16:14 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-05-14 16:14:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2014-10-30 04:00:50 EDT
OpenSSL was patched to disallow verification of certificates that are signed with MD5 algorithm. The use of MD5 hash algorithm for certificate signatures is now considered as insecure and thus all the main crypto libraries in Fedora were patched to reject such certificates.

Certificates signed with MD5 algorithm are not present on public https web sites anymore but they can be still in use on private networks or used for authentication on openvpn based VPNs such as in bug 1157260. It is highly recommended to replace such certificates with new ones signed with SHA256 or at least SHA1. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.
Comment 1 Pete Travis 2014-12-06 13:11:59 EST
Thanks Tomas, noted in https://git.fedorahosted.org/cgit/docs/release-notes.git/commit/?id=b62fd2f437813d9fb95d770a0a0bfce21256fd2a and .  You explained it well, so I shamelessly took your copy :)
Comment 2 Pete Travis 2015-05-14 16:14:40 EDT
This was done!

Note You need to log in before you can comment on or make changes to this bug.