> In OpenSSL v. 1.0.0c OCSP it is possible to add digest methods (i.e. > -sha256) in both client requests and server. But adding them does not > change the method used. SHA1 is still used.
The digest methods option (e.g., "-sha256") does work, but the manual page is misleading. The manual page implies that the "-sha256" option should appear as the last option on the command line, but it should really be placed near the beginning. If you look at the source code for the OCSP utility, specifying a digest method (e.g., "-sha256") will set the variable cert_id_md to the specified digest. When a "-cert" or "-serial" option is parsed, the corresponding entry will be created using the value of cert_id_md at the time the "-cert" or "-serial" option is parsed (or it will use SHA-1 if cert_id_md is NULL). So, if you place "-sha256" at the end of the command line it will have no effect. If you place "-sha256" in the command line before any "-cert" or "-serial", then SHA-256 will be used as expected. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
