Hi,
I tried to set sha1 for "openssl ca -gencrl" but it doesn't work. I
checked the source code (0.9.8 and 0.9.7) and found that the req section
in apps/ca.c contains the following lines:
lines 1012-1017:
if ((md == NULL) && ((md=NCONF_get_string(conf,
section,ENV_DEFAULT_MD)) == NULL))
{
lookup_fail(section,ENV_DEFAULT_MD);
goto err;
}
but the crl area ignores default_md, checks for DSA and EC keys and if
it is an RSA key then it is a MD5. Only -md is checked. Does there be a
special reason why default_md is ignored or is it possible to replace
the following lines:
line 1427:
dgst=EVP_md5();
A solution could be:
if ((md=NCONF_get_string(conf,section,ENV_DEFAULT_MD)) == NULL)
{
dgst=EVP_md5();
} else {
if ((dgst=EVP_get_digestbyname(md)) == NULL)
{
BIO_printf(bio_err,"%s is an unsupported message digest
type\n",md);
goto err;
}
}
I never touched this area before so perhaps it is necessary to introduce
ENV_DEFAULT_CRL_MD or do CRLs with sha1 be generally not allowed? Any
comments please?
Best regards
Michael
--
-------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482
(Computing Centre) Fax: +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin Email (private): [EMAIL PROTECTED]
Germany http://www.openca.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
