Red Hat Bugzilla – Bug 1265434
openssl crl verification error
Last modified: 2016-06-06 05:43:14 EDT
Description of problem:
Using "openssl crl" on Red Hat Enterprise Linux 7 fails to verify the CRL. The exact same command with the same CA and CRL files works on earlier versions of RHEL.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Execute the following with a CA and a CRL in PEM format:
openssl crl -CAfile RootCA2013.pem -in revokeRootCA2013.pem
No output, and the verification fails.
The same results as using openssl on RHEL 5.x and 6.x:
$ openssl crl -CAfile RootCA2013.pem -in revokeRootCA2013.pem
-----BEGIN X509 CRL-----
-----END X509 CRL-----
Note: despite nearly identical package versions between RHEL 6.x and RHEL 7.x, the verification fails on RHEL 7 but works on RHEL 6.
This is probably caused by the bug that Steven Henson confirms in this thread:
Can you please use Red Hat Support contact to report the issue? It is needed to properly prioritize the fix.
After inspection of the CRL the issue is apparent - the CRL is signed with MD5 hash and that is an insecure algorithm for signatures. Verification of signatures with MD5 hash is disabled by default in the RHEL-7.
That's a fine security change, but is it documented anywhere? It's not mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes.
How is a customer supposed to know about this change, if it's not documented?
Shouldn't this be reassigned to the documentation team?
Reassigning all of my bugs to the new DPM Tomas Capek.
(In reply to Tim Mooney from comment #4)
> That's a fine security change, but is it documented anywhere? It's not
> mentioned in the Red Hat Enterprise Linux 7.0 or 7.1 release notes.
> How is a customer supposed to know about this change, if it's not documented?
> Shouldn't this be reassigned to the documentation team?
you can find the mention in the RHEL 7.0 Release Notes  and we will put this change also in the 7.1/7.2 Release Notes. I've just added the admonition at the end of the section Verifying Certificates in the RHEL7 Security Guide (should be published on the RH Customer Portal in a couple of days).
Have a nice day,
The solution is published on the Red Hat Customer Portal: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Verifying_Certificates (closing the bug)