Hello,
Perhaps try upgrading OpenSSL.
Agreed, you need at least 0.9.8l for sha256
This is CentOS 7, OpenSSL 1.0.1e-fips 11 Feb 2013 I'm fairly certain that a generic "SHA256 support" is not specific enough; OpenSSL would have to know that at exactly this place SHA256 is expected and needs to be supported.
Looking through the OCSP API we can control the digest algorithms used for generating the request, so we might be able to swap the digests to SHA256, which would likely fix your issue, but agreed the OpenSSL code should be more agile.
Digest crypto agility is not the issue (also the failing response didn't fail on the SHA256 digest response signature). It's rather about controlling the hash algo for the issuer key and name. If this is all on OpenSSL's side then I guess the only thing to say is "too bad". I'll stick with SHA1 then. Greetings, Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66