commit b62fd2f437813d9fb95d770a0a0bfce21256fd2a
Author: Pete Travis <immanetize(a)fedoraproject.org>
Date: Sat Dec 6 11:07:27 2014 -0700
no more md5 signed certs, bz 1158767
en-US/Security.xml | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
---
diff --git a/en-US/Security.xml b/en-US/Security.xml
index a6d667a..cf01960 100644
--- a/en-US/Security.xml
+++ b/en-US/Security.xml
@@ -32,4 +32,13 @@
<para>More information about this change can be found at:
<ulink
url="https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGP...
/></para>
</section>
+ <section id="security-openssl-md5">
+ <title>MD5 signed certificates are rejected</title>
+ <para>
+ OpenSSL was patched to disallow verification of certificates that are signed with
MD5 algorithm. The use of MD5 hash algorithm for certificate signatures is now considered
as insecure and thus all the main crypto libraries in Fedora were patched to reject such
certificates.
+ </para>
+ <para>
+ Certificates signed with MD5 algorithm are not present on public https web sites
anymore but they can be still in use on private networks or used for authentication on
openvpn based VPNs such as in bug 1157260. It is highly recommended to replace such
certificates with new ones signed with SHA256 or at least SHA1. As a temporary measure the
<envar>OPENSSL_ENABLE_MD5_VERIFY</envar> environment variable can be set to
allow verification of certificates signed with MD5 algorithm.
+ </para>
+ </section>
</section>