Bug 1265434 - openssl crl verification error
openssl crl verification error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Security_Guide (Show other bugs)
7.3
All Unspecified
high Severity high
: rc
: ---
Assigned To: Mirek Jahoda
ecs-bugs
: Documentation, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 19:10 EDT by Tim Mooney
Modified: 2016-06-06 05:43 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-06 05:43:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Mooney 2015-09-22 19:10:15 EDT
Description of problem:

Using "openssl crl" on Red Hat Enterprise Linux 7 fails to verify the CRL.  The exact same command with the same CA and CRL files works on earlier versions of RHEL.


Version-Release number of selected component (if applicable):

openssl-1.0.1e-42.el7_1.9.x86_64


How reproducible:

Always


Steps to Reproduce:

Execute the following with a CA and a CRL in PEM format:

    openssl crl -CAfile RootCA2013.pem  -in revokeRootCA2013.pem

Actual results:

No output, and the verification fails.

Expected results:

The same results as using openssl on RHEL 5.x and 6.x:

$ openssl crl -CAfile RootCA2013.pem  -in revokeRootCA2013.pem
verify OK
-----BEGIN X509 CRL-----
MIIB0TCBujANBgkqhkiG9w0BAQQFADCBijEdMBsGA1UEAwwUTkRTVSBFUyBSb290
IENBIDIwMTMxJjAkBgNVBAoMHU5vcnRoIERha290YSBTdGF0ZSBVbml2ZXJzaXR5
MQ0wCwYDVQQLDARWUElUMQ4wDAYDVQQHDAVGYXJnbzEVMBMGA1UECAwMTm9ydGgg
RGFrb3RhMQswCQYDVQQGEwJVUxcNMTMwNzA5MjI0MjAyWhcNNDMwNzAyMjI0MjAy
WjANBgkqhkiG9w0BAQQFAAOCAQEAc8jJvNcQ68LKe85e7+PV9NalP5lpKiaXFWpk
ughxuXa0J2JIOSKAppYQ4e1ipD7yXnM1BWv3ABvTC+Ov5IEr4GD3sMpyYw9zGciM
vwjgZE375WRGIqt2ld1lxtxivj7qeGPa900T+Dan6CGzBmLH5vKdEYPddUUTLW3+
JPK3gDAKPemjdyZvFuOqSDphvKFT1Luc4ohTE3eKJ6dc1q0be4ziqtSAuJydRIiX
VBQq3h7e8ZgKOp1GxNrI05gUe8dJZ7PynO61fChhPiH0auwVt3YKDOWoM7iyhmPl
rBKhZyChKQa3tXvNgPWNlARRvEpyZIBGZrOfWrQq6KRkjVsiag==
-----END X509 CRL-----


Note: despite nearly identical package versions between RHEL 6.x and RHEL 7.x, the verification fails on RHEL 7 but works on RHEL 6.

Additional info:

This is probably caused by the bug that Steven Henson confirms in this thread:

    http://comments.gmane.org/gmane.comp.encryption.openssl.user/50507
Comment 2 Tomas Mraz 2015-09-23 04:08:45 EDT
Can you please use Red Hat Support contact to report the issue? It is needed to properly prioritize the fix.

http://www.redhat.com/en/services/support
Comment 3 Tomas Mraz 2015-09-23 04:12:16 EDT
After inspection of the CRL the issue is apparent - the CRL is signed with MD5 hash and that is an insecure algorithm for signatures. Verification of signatures with MD5 hash is disabled by default in the RHEL-7.
Comment 4 Tim Mooney 2015-09-23 14:10:02 EDT
That's a fine security change, but is it documented anywhere?  It's not mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes.

How is a customer supposed to know about this change, if it's not documented?

Shouldn't this be reassigned to the documentation team?
Comment 5 Laura Bailey 2015-10-12 05:07:05 EDT
Reassigning all of my bugs to the new DPM Tomas Capek.
Comment 8 Mirek Jahoda 2016-06-02 05:38:32 EDT
   (In reply to Tim Mooney from comment #4)
> That's a fine security change, but is it documented anywhere?  It's not
> mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes.
> 
> How is a customer supposed to know about this change, if it's not documented?
> 
> Shouldn't this be reassigned to the documentation team?

Hello Tim,

you can find the mention in the RHEL 7.0 Release Notes [1] and we will put this change also in the 7.1/7.2 Release Notes. I've just added the admonition at the end of the section Verifying Certificates in the RHEL7 Security Guide (should be published on the RH Customer Portal in a couple of days).

Have a nice day,
--Mirek

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/Known-Issues-Networking.html
Comment 9 Mirek Jahoda 2016-06-06 05:43:14 EDT
The solution is published on the Red Hat Customer Portal: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Verifying_Certificates (closing the bug)

Note You need to log in before you can comment on or make changes to this bug.