>> I don't know offhand which OpenSSL versions did away with MD5, but you >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) >> straight off CentOS 7 repos: > > Ugh. No need for 0.9.8e (which is from, what, the early Industrial > Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't > disabled in the build configuration. I think Stuart is dealing with an > OpenSSL build that had MD5 disabled in the Configure step. > > Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default > configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, > MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.
Some of those algorithms may still needed for some use cases. For example, Apple still ships (or used to ship until recently) some certificates that use MD2. They were present in iOS 7 and 8. Also see http://seclists.org/fulldisclosure/2013/Sep/184. I think the best OpenSSL can for now is allow those who don't need antique algorithms to disable them at compile time. Otherwise, OpenSSL is making policy decisions that may not work well for some folks. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
