-
Type: Improvement
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Environment:Debian GNU/Linux bullseye, openssl v1.1.1c
-
Fully Compatible
-
v4.2, v4.0, v3.6, v3.4
-
Security 2019-10-07, Security 2019-10-21, Security 2019-11-04
-
40
On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead.
This causes test failures. I discovered when testing kmip.js on my system, which failed with
cannot read certificate file: src/mongo/db/modules/enterprise/jstests/encryptdb/libs/client_password_protected.pem error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context