This ticket is a follow-up for RHEL-22734 (https://issues.redhat.com/browse/RHEL-22734)

Upon further review we discovered that there are more services affected by this issue. The suggested OPENSSL_ENABLE_SHA1_SIGNATURES flag isn't taken into consideration in FIPS mode, which leaves us with no viable workaround.

The issue comes from the fact that certain third party libraries have CheckCertificateRevocationList enabled when performing requests. We cannot unfortunately disable this flag.
This affects, for example: connections to databases, to third party services, to customer-provided endpoints, etc.

For the moment we decided to disable CRL checks altogether. This only fixes the issue for the moment as we were made aware of the fact that CRL checks will become mandatory as of March 15 2024.

We were wondering if there is a way for you guys to enable SHA1 for digital signatures validation inside FIPS (as SHA1 is allowed in FIPS 140-2 and 140-3 for digital signature validation). This would allow us to use the recommended approach of defining OPENSSL_ENABLE_SHA1_SIGNATURES inside our containers.

CC: tdeseyn@redhat.com