Bug 987550 - OCSP responses with MD5withRSA signatures are accepted as secure
OCSP responses with MD5withRSA signatures are accepted as secure
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssl (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
Blocks: 1020341
  Show dependency treegraph
Reported: 2013-07-23 11:55 EDT by Hubert Kario
Modified: 2013-11-12 10:43 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1020341 (view as bug list)
Last Closed: 2013-11-12 10:43:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2013-07-23 11:55:07 EDT
Description of problem:
openssl ocsp client considers responses signed with MD5withRSA algorithm to be trustworthy

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start an OCSP responder with CA certificates, make it sign responses using MD5withRSA
2. Try to verify any certificate signed by this CA

Actual results:
Response verify OK
certs/server_cert.pem: good
        This Update: Jul 23 15:48:26 2013 GMT

Expected results:
Response verification failure

Additional info:
Comment 2 RHEL Product and Program Management 2013-10-13 23:03:11 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.