| Back | Main view
OpenSSL error 'unknown message digest algorithm' during server operations
| Product: | IMiS/ARChive |
| Release: | All |
| Date: | 02/07/2023 |
Case:
OpenSSL error 'unknown message digest algorithm' may occur when executing different server operations which use internal certificate store (adding CA certificates to store, saving content with digital signature ...). In this article we describe why this error happens and possible workaround for Red Hat 7 and its derivatives.
Description:
Description: OpenSSL error 'unknown message digest algorithm' may occur when deprecated digest algorithms are used. Examples of deprecated digest algorithms:
- md2WithRsa (OID 1.3.14.7.2.3.1)
- md4WitRSA (OID 1.3.14.3.2.2)
- md5WithRSA (OID 1.3.14.3.2.3)
Example of commit log error which occurs when certificate chain is validated and one of certificates is using deprecated digest algorithm:
<iarc:commitlog xmlns:iarc="http://www.imis.si/imisarc/commitlog.xsd" start="2023-02-07T13:35:20.051Z" end="2023-02-07T13:35:20.849Z"><iarc:dsigverify>Digital signature verification started: 2023-02-07T13:35:20.051Z
========================================
Verifying 001_deprecated_certificate_chain.pdf [84da8e72faf0e42efc33956808620bbd34a1020f2b27d8c57ad3731423cc9382]:
Signature status: VALID
Error occurred while checking certificate chain (Error occurred during signature verification. Reason: 'error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm'.)
========================================
Digital signature verification ended: 2023-02-07T13:35:20.849Z</iarc:dsigverify></iarc:commitlog>
Do not use certificates with deprecated digest algorithms because they are vulnerable to collision attacks and therefore, they are insecure. If certificates with deprecated digest algorithms must be used then system administrator must enable deprecated algorithms trough OpenSSL legacy settings. Create or edit '/etc/pki/tls/legacy-settings' and add deprecated digest algorithms to the 'LegacySigningMDs' option. After that, restart IMiS ARChive server. This workaround is documented for Red Hat 7 and its derivatives and may not work for other operation systems. IMiS ARChive server must be restarted before changes take effect. Next example demonstrates enabling MD4 and MD5 digest algorithms in OpenSSL:
echo 'LegacySigningMDs md5 md4' > /etc/pki/tls/legacy-settings
Related Documents:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-deprecated_functionality_in_rhel7
https://github.com/sergiomb2/openssl-freeworld/blob/master/openssl-1.0.2j-deprecate-algos.patch
https://linux.oracle.com/errata/ELSA-2019-4581.html
https://datatracker.ietf.org/doc/html/rfc1507
https://eprint.iacr.org/2004/199.pdf
https://www.win.tue.nl/hashclash/fastcoll.pdf
https://en.wikipedia.org/wiki/Collision_attack
- Configuring crypto policies in Red Hat Enterprise Linux 8 and 9 (and its derivatives)
| Back | Main view