1265434 – openssl crl verification error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1265434 - openssl crl verification error

Summary: openssl crl verification error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Security_Guide
Sub Component:
Version:	7.3
Hardware:	All
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Mirek Jahoda
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-22 23:10 UTC by Tim Mooney
Modified:	2019-03-06 02:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-06-06 09:43:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tim Mooney 2015-09-22 23:10:15 UTC

Description of problem:

Using "openssl crl" on Red Hat Enterprise Linux 7 fails to verify the CRL.  The exact same command with the same CA and CRL files works on earlier versions of RHEL.


Version-Release number of selected component (if applicable):

openssl-1.0.1e-42.el7_1.9.x86_64


How reproducible:

Always


Steps to Reproduce:

Execute the following with a CA and a CRL in PEM format:

    openssl crl -CAfile RootCA2013.pem  -in revokeRootCA2013.pem

Actual results:

No output, and the verification fails.

Expected results:

The same results as using openssl on RHEL 5.x and 6.x:

$ openssl crl -CAfile RootCA2013.pem  -in revokeRootCA2013.pem
verify OK
-----BEGIN X509 CRL-----
MIIB0TCBujANBgkqhkiG9w0BAQQFADCBijEdMBsGA1UEAwwUTkRTVSBFUyBSb290
IENBIDIwMTMxJjAkBgNVBAoMHU5vcnRoIERha290YSBTdGF0ZSBVbml2ZXJzaXR5
MQ0wCwYDVQQLDARWUElUMQ4wDAYDVQQHDAVGYXJnbzEVMBMGA1UECAwMTm9ydGgg
RGFrb3RhMQswCQYDVQQGEwJVUxcNMTMwNzA5MjI0MjAyWhcNNDMwNzAyMjI0MjAy
WjANBgkqhkiG9w0BAQQFAAOCAQEAc8jJvNcQ68LKe85e7+PV9NalP5lpKiaXFWpk
ughxuXa0J2JIOSKAppYQ4e1ipD7yXnM1BWv3ABvTC+Ov5IEr4GD3sMpyYw9zGciM
vwjgZE375WRGIqt2ld1lxtxivj7qeGPa900T+Dan6CGzBmLH5vKdEYPddUUTLW3+
JPK3gDAKPemjdyZvFuOqSDphvKFT1Luc4ohTE3eKJ6dc1q0be4ziqtSAuJydRIiX
VBQq3h7e8ZgKOp1GxNrI05gUe8dJZ7PynO61fChhPiH0auwVt3YKDOWoM7iyhmPl
rBKhZyChKQa3tXvNgPWNlARRvEpyZIBGZrOfWrQq6KRkjVsiag==
-----END X509 CRL-----


Note: despite nearly identical package versions between RHEL 6.x and RHEL 7.x, the verification fails on RHEL 7 but works on RHEL 6.

Additional info:

This is probably caused by the bug that Steven Henson confirms in this thread:

    http://comments.gmane.org/gmane.comp.encryption.openssl.user/50507

Comment 2 Tomas Mraz 2015-09-23 08:08:45 UTC

Can you please use Red Hat Support contact to report the issue? It is needed to properly prioritize the fix.

http://www.redhat.com/en/services/support

Comment 3 Tomas Mraz 2015-09-23 08:12:16 UTC

After inspection of the CRL the issue is apparent - the CRL is signed with MD5 hash and that is an insecure algorithm for signatures. Verification of signatures with MD5 hash is disabled by default in the RHEL-7.

Comment 4 Tim Mooney 2015-09-23 18:10:02 UTC

That's a fine security change, but is it documented anywhere?  It's not mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes.

How is a customer supposed to know about this change, if it's not documented?

Shouldn't this be reassigned to the documentation team?

Comment 5 Laura Bailey 2015-10-12 09:07:05 UTC

Reassigning all of my bugs to the new DPM Tomas Capek.

Comment 8 Mirek Jahoda 2016-06-02 09:38:32 UTC

   (In reply to Tim Mooney from comment #4)
> That's a fine security change, but is it documented anywhere?  It's not
> mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes.
> 
> How is a customer supposed to know about this change, if it's not documented?
> 
> Shouldn't this be reassigned to the documentation team?

Hello Tim,

you can find the mention in the RHEL 7.0 Release Notes [1] and we will put this change also in the 7.1/7.2 Release Notes. I've just added the admonition at the end of the section Verifying Certificates in the RHEL7 Security Guide (should be published on the RH Customer Portal in a couple of days).

Have a nice day,
--Mirek

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.0_Release_Notes/Known-Issues-Networking.html

Comment 9 Mirek Jahoda 2016-06-06 09:43:14 UTC

The solution is published on the Red Hat Customer Portal: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Verifying_Certificates (closing the bug)

Note You need to log in before you can comment on or make changes to this bug.