Hi Stefan, Stefan Eissing schreef op wo 23-10-2019 om 16:33 [+0200]:
I assume you have tried openssl standalone on such a certificate? https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify#26520714 Thanks for pointing that out. I hadn't tried it yet, but when I do so now, it does succeed: wouter@host<file:///root@h>:~$ openssl verify -CAfile /etc/apache2/ca-bundle.pem test.pem test.pem: OK where that ca-bundle.pem file is the file that I point to from SSLCACertificateFile in my apache config, and test.pem is the certificate that I used for testing and that resulted in the log line below. So it must be something in apache, as I had (apparently correctly) guessed from the log message. Since, I do not know of any specific checks added for this in Apache, I assume that openssl updated its verification implementation. The command line should let you verify that. If this is the case, question would be if some openssl config parameter can disable that for you. I think there are some people around here who should be able to find that out, once you have verified that with your certs. Cheers, Stefan Am 23.10.2019 um 11:49 schrieb Wouter Verhelst <Wouter.Verhelst @zetes.com>: Hi, For reasons beyond my control, I need to allow client certificate authentication with certificates that are signed with SHA1 (I know -- don't ask). Upon installing Apache from Debian 10 "buster" and installing the CA certificate under SSLCACertificateFile, however, I get the following: [Wed Oct 23 11:41:23.336834 2019] [ssl:info] [pid 7424] [client 172.16.57.80:38728] AH02276: Certificate Verification: Error (68): CA signature digest algorithm too weak [....certificate details snipped for privacy....] I know that SHA1 is insecure these days, but I have no control over the algorithms used in this particular CA, and I need to be able to use it. I tried disabling TLSv1.3 and setting the value of SSLCipherSuite to "HIGH:SHA1", but to no effect. Anyone have any idea if it's possible to relax the requirements for client CAs somehow? (Debian buster comes with httpd 2.4.38 and OpenSSL 1.1.1d) Thanks, --------------------------------------------------------------------- To unsubscribe, e-mail: <mailto:users-unsubscr...@httpd.apache.org> users-unsubscr...@httpd.apache.org For additional commands, e-mail: <mailto:users-h...@httpd.apache.org> users-h...@httpd.apache.org
