OCSP hash algorithm agility

Stefan Winter stefan.winter at restena.lu
Thu Jan 12 12:58:52 CET 2017


>> Perhaps try upgrading OpenSSL.
> Agreed, you need at least 0.9.8l for sha256

This is CentOS 7, OpenSSL 1.0.1e-fips 11 Feb 2013

I'm fairly certain that a generic "SHA256 support" is not specific
enough; OpenSSL would have to know that at exactly this place SHA256 is
expected and needs to be supported.

> Looking through the OCSP API we can control the digest algorithms used for generating the request, so we might be able to swap the digests to SHA256, which would likely fix your issue, but agreed the OpenSSL code should be more agile.

Digest crypto agility is not the issue (also the failing response didn't
fail on the SHA256 digest response signature). It's rather about
controlling the hash algo for the issuer key and name.

If this is all on OpenSSL's side then I guess the only thing to say is
"too bad". I'll stick with SHA1 then.



Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170112/21f954d8/attachment.sig>

More information about the Freeradius-Users mailing list