OCSP hash algorithm agility
Stefan Winter
stefan.winter at restena.lu
Thu Jan 12 12:58:52 CET 2017
Hello,
>> Perhaps try upgrading OpenSSL.
>
> Agreed, you need at least 0.9.8l for sha256
This is CentOS 7, OpenSSL 1.0.1e-fips 11 Feb 2013
I'm fairly certain that a generic "SHA256 support" is not specific
enough; OpenSSL would have to know that at exactly this place SHA256 is
expected and needs to be supported.
> Looking through the OCSP API we can control the digest algorithms used for generating the request, so we might be able to swap the digests to SHA256, which would likely fix your issue, but agreed the OpenSSL code should be more agile.
Digest crypto agility is not the issue (also the failing response didn't
fail on the SHA256 digest response signature). It's rather about
controlling the hash algo for the issuer key and name.
If this is all on OpenSSL's side then I guess the only thing to say is
"too bad". I'll stick with SHA1 then.
Greetings,
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170112/21f954d8/attachment.sig>
More information about the Freeradius-Users
mailing list