2018-01-21 01:11 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0013149CentOS-6opensslpublic2017-04-26 10:38
Platformx86_64OScentosOS Version6
Product Version6.9 
Target VersionFixed in Version 
Summary0013149: Openssl libcrypto issue
DescriptionOpenssl is breaking working OpenVPN server after upgrade. Openssl ca file cant verify the cert file and gives the following error.

openssl verify -CAfile ca.crt client.crt

error 7 at 0 depth lookup:certificate signature failure
140025060349768:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:217:

This works fine on other servers with old openssl version.

New Openssl version :- openssl-1.0.1e-57.el6.x86_64
Old Openssl version :- openssl-1.0.1e-48.el6_8.3.x86_64

Steps To ReproduceGenerate ca cert, ca key , openssl server cert and server key with old openssl version and then update the openssl version. Same certs will not work anymore.
Additional InformationIf we replace new /usr/lib64/libcrypto.so.1.0.1e with old package file, all works fine.
TagsNo tags attached.
Attached Files




tinnyb (reporter)

Can you indicate the signature algorithm used on your certificate(s)?

openssl x509 -in {certfile.crt} -noout -text | grep Signature

I found that with this new "57" release of openssl, certs with a signature algorithm of md5WithRSAEncryption now fail. Rekeyed the certs so that they are now sha256WithRSAEncryption and those certs are now accepted.


rjops (reporter)

Ok. This is correct. But it can be troublesome to change all the certificates in our case. Is there any specific reason to remove the support for md5WithRSAEncryption ?


avij (manager)

The specific reason for removing support for MD5 is that MD5 is no longer considered secure.

-Issue History
Date Modified Username Field Change
2017-04-19 14:04 rjops New Issue
2017-04-22 05:27 tinnyb Note Added: 0029118
2017-04-24 13:41 rjops Note Added: 0029140
2017-04-26 10:38 avij Note Added: 0029151
+Issue History