https://bugzilla.redhat.com/show_bug.cgi?id=1158767
Bug ID: 1158767 Summary: RELNOTES - Certificates signed with MD5 algorithm are not verified anymore Product: Fedora Documentation Version: devel Component: release-notes Assignee: relnotes@fedoraproject.org Reporter: tmraz@redhat.com QA Contact: docs-qa@lists.fedoraproject.org CC: relnotes@fedoraproject.org, wb8rcr@arrl.net, zach@oglesby.co Blocks: 168083 (fc5-relnotes-traqr)
OpenSSL was patched to disallow verification of certificates that are signed with MD5 algorithm. The use of MD5 hash algorithm for certificate signatures is now considered as insecure and thus all the main crypto libraries in Fedora were patched to reject such certificates.
Certificates signed with MD5 algorithm are not present on public https web sites anymore but they can be still in use on private networks or used for authentication on openvpn based VPNs such as in bug 1157260. It is highly recommended to replace such certificates with new ones signed with SHA256 or at least SHA1. As a temporary measure the OPENSSL_ENABLE_MD5_VERIFY environment variable can be set to allow verification of certificates signed with MD5 algorithm.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=168083 [Bug 168083] FC5 release notes tracker bug
https://bugzilla.redhat.com/show_bug.cgi?id=1158767
Pete Travis me@petetravis.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED CC| |me@petetravis.com Assignee|relnotes@fedoraproject.org |me@petetravis.com
--- Comment #1 from Pete Travis me@petetravis.com --- Thanks Tomas, noted in https://git.fedorahosted.org/cgit/docs/release-notes.git/commit/?id=b62fd2f4... and . You explained it well, so I shamelessly took your copy :)
https://bugzilla.redhat.com/show_bug.cgi?id=1158767
Cristian Ciupitu cristian.ciupitu@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |VERIFIED CC| |cristian.ciupitu@yahoo.com QA Contact|docs-qa@lists.fedoraproject |cristian.ciupitu@yahoo.com |.org |
docs-qa@lists.fedoraproject.org