Hello,
first and foremost, many thanks for the time and effort you guys (and
girls!) put in to 'keep the internet running' - and thank you for
encrypting my credit card data mostly every day (and other data every
single day)!
I am wondering why my version OpenSSL 1.0.1.i-1 (Arch Linux) is by default
still generating SHA-1 CSRs. So I have done the following:
$ openssl req -new -sha256 -key privkey.pem -out sha256.csr
$ openssl req -new -key privkey.pem -out normal.csr
and if I have a look inside those CSRs with
$ openssl req -in $CSRFILE -noout -text
I get either
Signature Algorithm: sha1WithRSAEncryption
from normal.csr and
Signature Algorithm: sha256WithRSAEncryption
from sha256.csr.
Shouldn't it be the default to generate SHA-2 sigs? I understand SHA-2
support is not given on absolutely all devices out there, but I guess to
push things forward with SHA-1 deprecation it would help to generate
SHA-2 sigs by default and on the other hand, instructing openssl
specifically if you want SHA-1 signed certs.
Regards
Thomas
--
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint: CCBD 153A D257 CA7E A217 FDF7 5928 03D1 7588 9415
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
