FIPS mode is a policy decision in my opinion also but since RedHat prides itself in security e.g. SELinux, etc. I believe that is a RedHat decision as opposed to the OpenSSL community. The alternative would be to use a different Linux distro like Ubuntu, etc. which does not compile their OpenSSL with FIPS enabled natively to support legacy algorithms.
*FYI I am not speaking on behalf of RedHat or OpenSSL.* This is all conjecture and my 2 cents :-) On Wed, Sep 27, 2017 at 3:15 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > >> I don't know offhand which OpenSSL versions did away with MD5, but you > >> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches) > >> straight off CentOS 7 repos: > > > > Ugh. No need for 0.9.8e (which is from, what, the early Industrial > Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't > disabled in the build configuration. I think Stuart is dealing with an > OpenSSL build that had MD5 disabled in the Configure step. > > > > Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default > configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, > MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and > Whirlpool. > > Some of those algorithms may still needed for some use cases. For > example, Apple still ships (or used to ship until recently) some > certificates that use MD2. They were present in iOS 7 and 8. Also see > http://seclists.org/fulldisclosure/2013/Sep/184. > > I think the best OpenSSL can for now is allow those who don't need > antique algorithms to disable them at compile time. Otherwise, OpenSSL > is making policy decisions that may not work well for some folks. > > Jeff > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users