Closed richlander closed 4 days ago
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones See info in area-owners.md if you want to be subscribed.
Note that we'll need to do this in .NET 8, 9, and main branches. We should have a conversation on whether this makes sense to backport to .NET 6. .NET 6 is supported on Azure Linux 3.0. I had been intending on adding this helix image to the .NET 6 branch.
There aren't any product changes anticipated here. The underlying library says "thou shalt not do RSA signatures with MD5" (or MD4, etc), and we're just going to accept that.
All we're going to do is make the tests tolerate it.
Given that there are only 3 patch updates left for 6, I don't think it makes any sense to port test-only changes there, or turn on a new OS in the test matrix.
Also to set some expectations, there are a considerable number of things broken besides RSA+MD5 (see attached log with full results). It's going to take time to work through these, and not all of them will be fixed by OPENSSL_ENABLE_MD5_VERIFY
, in fact most won't.
As a condition to considering this issue complete, we need to remember to undo this change:
This is complete and all backports are merged, so I think this can be closed.
Please re-open if there are still any outstanding issues to address.
main
release/9.0
https://github.com/dotnet/runtime/pull/106980release/8.0
https://github.com/dotnet/runtime/pull/107061Context: https://github.com/dotnet/runtime/pull/106330#issuecomment-2291831508