Hi Carlos,
> "Cisco IOS SHA-2 Support for PKI" (that is SHA-256, SHA-384, SHA-512)
> was introduced mainly in IOS 12.4(15)T in almost all platforms.
It's right, Cisco can handle certificates with >= SHA-256, of course,
since 12.4(15)T.
BUT: we've tracked down that OCSP daemon answer which is signed, may not
be signed with a hash-size > SHA-1, even with IOS 12.4(15)T or IOS 15.
When the OCSP answer is signed with SHA-256 from the OCSP daemon,
the cisco router simply responds with:
"E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported"
But the main topic on the mailing list is: how can the OCSP-2 workaround
this by making it possible to send an OCSP answer with SHA-1 again, like
OCSP-1 did it by default. I've just workarounded it meanwhile by patching
the source code and removing the SHA256 case as a possible OCSP answer.
Greetings
-Achim
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
