Re: [users@httpd] Enabling SHA1 for client certificates

Stefan Eissing schreef op wo 23-10-2019 om 17:38 [+0200]: mod_ssl does no special SHA-1 check. What you see is the error message from openssl itself (wrapped in a log number thing for tracability). So, the question is why your openssl is ok with what your apache linked openssl denies. Sigh:

Re: [users@httpd] Enabling SHA1 for client certificates

On 23 Oct 2019, at 09:38, Stefan Eissing wrote: > "WARNING at this time setting the security level higher than 1 for general > internet use is likely to cause considerable interoperability issues and is > not recommended. This is because the SHA1 algorithm is very widely used in > certificates

Re: [users@httpd] Enabling SHA1 for client certificates

mod_ssl does no special SHA-1 check. What you see is the error message from openssl itself (wrapped in a log number thing for tracability). So, the question is why your openssl is ok with what your apache linked openssl denies. I found at

Re: [users@httpd] Enabling SHA1 for client certificates

Hi Stefan, Stefan Eissing schreef op wo 23-10-2019 om 16:33 [+0200]: I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Thanks for pointing that out. I hadn't tried it yet,

Re: [users@httpd] Enabling SHA1 for client certificates

@lbutlr schreef op wo 23-10-2019 om 07:48 [-0600]: On 23 Oct 2019, at 03:49, Wouter Verhelst < wouter.verhe...@zetes.com > wrote: I know that SHA1 is insecure these days, but I have no control over the algorithms used in this particular CA, and I need to be

Re: [users@httpd] Enabling SHA1 for client certificates

I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Since, I do not know of any specific checks added for this in Apache, I assume that openssl updated its verification

Re: [users@httpd] Enabling SHA1 for client certificates

On 23 Oct 2019, at 03:49, Wouter Verhelst wrote: > I know that SHA1 is insecure these days, but I have no control over the > algorithms used in this particular CA, and I need to be able to use it. This is a case of pushing back to get the incompetent CA to update. Even if you manage to get

[users@httpd] Enabling SHA1 for client certificates

Hi, For reasons beyond my control, I need to allow client certificate authentication with certificates that are signed with SHA1 (I know -- don't ask). Upon installing Apache from Debian 10 "buster" and installing the CA certificate under SSLCACertificateFile, however, I get the following: