-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Summary
=======
Configuration file option "default_md" is ignored when generating CRLs.
Description
===========
Command "openssl ca" has an option to specify a hash algorithm for signing
certificate requests and/or CRLs. This can be accomplished using a command
line option "-md" or a configuration file option "default_md".
The problem is that the configuration option "default_md" is ignored when
signing CRLs but is honored when signing certificate requests. Command line
option "-md" is always honored.
Action Config Command Signature
=============================================================
Signing CRL no default_md no -md MD5
Signing CRL default_md=sha1 no -md MD5 <--- ERROR
Signing CRL default_md=sha1 -md sha1 SHA-1
Signing cert default_md=sha1 no -md SHA-1 <-- OK
Example #1 (using default_md=sha1)
>openssl ca -gencrl|openssl crl -text -noout
.....
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: md5WithRSAEncryption
.....
Example #2 (using the same config file and -md)
>openssl ca -gencrl -md sha1|openssl crl -text -noout
.....
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
.....
Platform
========
Windows 2000 Pro SP2
Visual C++ 6.0 SP5
OpenSSL 0.9.6b 9 Jul 2001
built on: Sat Aug 12 20:11:28 2001
platform: VC-WIN32
options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int)
blowfish(idx)
compiler: cl /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32
- -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32dll
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
iQA/AwUBO/hG5XrdGZoPduziEQKkbQCfYNzzmx5PrXJNELfDmAG/cW66Xf8AnRNs
JB5UIcIZKHghjHCOCN2ZIpJS
=gVPY
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
