On Wed, Aug 19, 2009, Carlo Milono wrote: > > > [<cm>] My Public Sector Customers seem happy with the functionality, though > not without a shock: many of their certificates were signed with MD5 (and > MD2) and our application now happily rejects them (and their CA was > self-signed with MD5, so ditto their CA). >
Note that the current unreleased version of OpenSSL 0.9.8 (which will be 0.9.8l) will by default ignore the root CA signature for efficiency purposes. A side effect of this is that as long as only the root CA uses a non-FIPS algorithm (e.g. MD5) it will work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
