openssl: fix SHA1 and NO-ENFORCE-EMS interaction (!152) · Merge requests · redhat-crypto / fedora-crypto-policies

Alexander Sosedkin requested to merge fix-sha1-no-enforce-ems-interaction into rhel9 Sep 29, 2023

Without the change, Options = RHNoEnforceEMSinFIPS is misplaced when SHA-1 is enabled. Which shouldn't really happen because it's FIPS-only, and FIPS users aren't supposed to enable SHA-1, but still

[evp_properties]
rh-allow-sha1-signatures = yes
Options = RHNoEnforceEMSinFIPS

Fedora doesn't seem to have such a bug, it's an issue introduced during backporting NO-ENFORCE-EMS to RHEL.

openssl: fix SHA1 and NO-ENFORCE-EMS interaction

Merge request reports