Craig McGregor wrote: > I couldn't find a configuration file way of making OpenCA send -sha1 to OpenSSL > so it would use sha1 for the signature algorithm.
This behaviour you can change in the configurationfile for every role. OpenCA use two files to configure OpenSSL for each role. Example: User --> OPENCADIR/etc/openssl/extfiles/User.ext --> OPENCADIR/etc/openssl/openssl/User.conf The first file includes the configuration for the extensions and the second file contains all the other general stuff. The default_md you can set in the second file. > OpenSSL defaults to MD5, although this can be changed by specifiying -sha1 on > the command-line. > Patching OpenSSL.pm to send -sha1 to OpenSSL seems to do the trick. (attached). This is not necessary because it is configurable. > Since sha1 is theoritically stronger than md5 so I wonder if this should be > the default for OpenCA, or, is MD5 required for compatibility with early versions > of Netscape? No, this was not a reason and I find out via "grep -r default_md *" that we use md5 only in the CA-certificate. I think we should change this. Any comments? Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
