OCSP hash algorithm agility

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Jan 12 09:46:00 CET 2017


> 
> We don't implement OCSP.  OpenSSL does.  We just call the OpenSSL API.  If it returns "no", there's not a lot we can do.
> 
> Perhaps try upgrading OpenSSL.

Agreed, you need at least 0.9.8l for sha256

Looking through the OCSP API we can control the digest algorithms used for generating the request, so we might be able to swap the digests to SHA256, which would likely fix your issue, but agreed the OpenSSL code should be more agile.

-Arran 

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2




More information about the Freeradius-Users mailing list