View Issue Details

IDProjectCategoryView StatusLast Update
0013149CentOS-6opensslpublic2017-04-26 10:38
Status newResolutionopen 
Platformx86_64OScentosOS Version6
Product Version6.9 
Target VersionFixed in Version 
Summary0013149: Openssl libcrypto issue
DescriptionOpenssl is breaking working OpenVPN server after upgrade. Openssl ca file cant verify the cert file and gives the following error.

openssl verify -CAfile ca.crt client.crt

error 7 at 0 depth lookup:certificate signature failure
140025060349768:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:217:

This works fine on other servers with old openssl version.

New Openssl version :- openssl-1.0.1e-57.el6.x86_64
Old Openssl version :- openssl-1.0.1e-48.el6_8.3.x86_64

Steps To ReproduceGenerate ca cert, ca key , openssl server cert and server key with old openssl version and then update the openssl version. Same certs will not work anymore.
Additional InformationIf we replace new /usr/lib64/ with old package file, all works fine.
TagsNo tags attached.




2017-04-22 05:27

reporter   ~0029118

Can you indicate the signature algorithm used on your certificate(s)?

openssl x509 -in {certfile.crt} -noout -text | grep Signature

I found that with this new "57" release of openssl, certs with a signature algorithm of md5WithRSAEncryption now fail. Rekeyed the certs so that they are now sha256WithRSAEncryption and those certs are now accepted.


2017-04-24 13:41

reporter   ~0029140

Ok. This is correct. But it can be troublesome to change all the certificates in our case. Is there any specific reason to remove the support for md5WithRSAEncryption ?


2017-04-26 10:38

manager   ~0029151

The specific reason for removing support for MD5 is that MD5 is no longer considered secure.

Issue History

Date Modified Username Field Change
2017-04-19 14:04 rjops New Issue
2017-04-22 05:27 tinnyb Note Added: 0029118
2017-04-24 13:41 rjops Note Added: 0029140
2017-04-26 10:38 avij Note Added: 0029151