diff -up openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify openssl-1.0.2a/crypto/asn1/a_verify.c
--- openssl-1.0.2a/crypto/asn1/a_verify.c.no-md5-verify	2015-04-09 18:20:58.829680829 +0200
+++ openssl-1.0.2a/crypto/asn1/a_verify.c	2015-04-09 18:20:54.495580710 +0200
@@ -56,6 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
+/* for secure_getenv */
+#define _GNU_SOURCE
+
 #include <stdio.h>
 #include <time.h>
 
@@ -171,6 +174,11 @@ int ASN1_item_verify(const ASN1_ITEM *it
         if (ret != 2)
             goto err;
         ret = -1;
+    } else if (mdnid == NID_md5
+               && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) {
+        ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
+                ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+        goto err;
     } else {
         const EVP_MD *type;
         type = EVP_get_digestbynid(mdnid);