The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptorgaphically strong algorithm, which makes it easier for remote attackers to forge certificates with a valid certificate authority signature. I'm not sure if this is something we want to or can change in RHEL. I'm filing this bug so we have a placeholder for this issue, and so we have a public place for comments regarding it. While the weakness of md5 is real, it is not right to blindly proclaim everything that uses it broken. Consider this the placeholder for RHEL2, RHEL3 and RHEL4
There is more information regarding this here: https://bugzilla.ubuntu.com/show_bug.cgi?id=13593
As openssl.cnf is %config(noreplace) for all RHELs I think it shouldn't be a problem to fix it there too.
It is really debatable if we want to change the default. On systems where security of issued certificates is really critical the sha1 hash should have been used a long ago and the default can be easily changed by modification of the config file. Also this fix is probably not enough as there should be also some changes on the verification side - at least some warnings when certificates with MD5 hashes are used or so.
I've fixed this (changed the default to sha1) in Fedora Core development package. Leaving still open for the RHEL 4 and older consideration.
won't fix for rhel4/3/2.1