On Thu, May 07, 2009 at 10:54:50AM -0700, Alex Chen wrote:
> How does openssl decide which SHA function to use if we simply uses ssl
> connection, i.e. what control the use of different SHA function?
There are no SHA-2 cipher-suites in TLS 1.0 and TLS 1.1. TLS 1.2
is very new, and not yet implemented by OpenSSL.
If you enable "all" algorithms rather than "all ssl" algorithms, you
will be able to verify certificates signed with SHA-2 with the current
OpenSSL release but the SSL cipher-suite will still use a SHA-1 HMAC.
This said, most clients and servers will break with SHA-2 certificates,
so you can only use these in "closed" systems, not on the public Internet.
TLS 1.2 supports negotiation of certificate signature algorithms, but
it will be a long time before systems are able to make use of SHA-2
certs...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
