Red Hat Bugzilla – Bug 169803
CVE-2005-2946 openssl insecure default message digest
Last modified: 2007-11-30 17:07:20 EST
The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message
digests instead of a more cryptorgaphically strong algorithm, which makes it
easier for remote attackers to forge certificates with a valid certificate
I'm not sure if this is something we want to or can change in RHEL. I'm filing
this bug so we have a placeholder for this issue, and so we have a public place
for comments regarding it.
While the weakness of md5 is real, it is not right to blindly proclaim
everything that uses it broken.
Consider this the placeholder for RHEL2, RHEL3 and RHEL4
There is more information regarding this here:
As openssl.cnf is %config(noreplace) for all RHELs I think it shouldn't be a
problem to fix it there too.
It is really debatable if we want to change the default. On systems where
security of issued certificates is really critical the sha1 hash should have
been used a long ago and the default can be easily changed by modification of
the config file. Also this fix is probably not enough as there should be also
some changes on the verification side - at least some warnings when certificates
with MD5 hashes are used or so.
I've fixed this (changed the default to sha1) in Fedora Core development package.
Leaving still open for the RHEL 4 and older consideration.
won't fix for rhel4/3/2.1