Hello, > BUT: we've tracked down that OCSP daemon answer which is signed, may not > be signed with a hash-size > SHA-1, even with IOS 12.4(15)T or IOS 15. > When the OCSP answer is signed with SHA-256 from the OCSP daemon, > the cisco router simply responds with: > "E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported"
I really haven't tried it but I have myself filed some bugs in Cisco in the past about this OCSP part. It seems they use some old code from RSA that is buggy only for this part. I remember last time I had to file a bug because this code was not sending Host header in HTTP request causing OCSP not working when using vhosts, like using an apache reverse proxy. Right now I haven't a setup using OCSP with SHA-256, although planned in the future. If you have a test setup deployed let me know in private, maybe I could open a bug in Cisco to solve this there. Although a workaround should be needed. Regards, Carlos Velasco *************** AVISO LEGAL *************** Este mensaje va dirigido, de manera exclusiva, a su destinatario y contiene información confidencial y sujeta al secreto profesional, cuya divulgación no está permitida por la ley. En caso de haber recibido este mensaje por error, le rogamos que, de forma inmediata, nos lo comunique mediante correo electrónico remitido a nuestra atención o a través del teléfono (+34 914531200) y proceda a su eliminación, así como a la de cualquier documento adjunto al mismo. Asimismo, le comunicamos que la distribución, copia o utilización de este mensaje, o de cualquier documento adjunto al mismo, cualquiera que fuera su finalidad, están prohibidas por la ley. Le informamos, como destinatario de este mensaje, que el correo electrónico y las comunicaciones por medio de Internet no permiten asegurar ni garantizar la confidencialidad de los mensajes transmitidos, así como tampoco su integridad o su correcta recepción, por lo que el CNIC no asume responsabilidad alguna por tales circunstancias. Si no consintiese la utilización del correo electrónico o de las comunicaciones vía Internet le rogamos nos lo comunique y ponga en nuestro conocimiento de manera inmediata. *************** LEGAL NOTICE ************** This message is intended exclusively for the person to whom it is addressed and contains privileged and confidential information protected from disclosure by law. If you are not the addressee indicated in this message, you should immediately delete it and any attachments and notify the sender by reply e-mail or by phone (+34 914531200). In such case, you are hereby notified that any dissemination, distribution, copying or use of this message or any attachments, for any purpose, is strictly prohibited by law. We hereby inform you, as addressee of this message, that e-mail and Internet do not guarantee the confidentiality, nor the completeness or proper reception of the messages sent and, thus, CNIC does not assume any liability for those circumstances. Should you not agree to the use of e-mail or to communications via Internet, you are kindly requested to notify us immediately. ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
