Thanks for the information, Viktor. I am not familiar with the
algorithms used in SSL, but if I understand correctly, SHA-1/SHA-2 is
only a hash function, right?
In OpenSSL source code, I see references of SHA-256, SHA-512, etc.
that belong to SHA-2 suites. If OpenSSL only supports SHA-1 HMAC,
where and how does the code get used?
I look at one of our self-signed certificate (.pem) file with the
following entries:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
It appears that this certificate was generated with MD5 hash instead
of SHA hash, correct? How do we set the hash function to SHA instead
of MD5?
Alex
On May 7, 2009, at 12:46 PM, Victor Duchovni wrote:
On Thu, May 07, 2009 at 10:54:50AM -0700, Alex Chen wrote:
How does openssl decide which SHA function to use if we simply uses
ssl
connection, i.e. what control the use of different SHA function?
There are no SHA-2 cipher-suites in TLS 1.0 and TLS 1.1. TLS 1.2
is very new, and not yet implemented by OpenSSL.
If you enable "all" algorithms rather than "all ssl" algorithms, you
will be able to verify certificates signed with SHA-2 with the current
OpenSSL release but the SSL cipher-suite will still use a SHA-1 HMAC.
This said, most clients and servers will break with SHA-2
certificates,
so you can only use these in "closed" systems, not on the public
Internet.
TLS 1.2 supports negotiation of certificate signature algorithms, but
it will be a long time before systems are able to make use of SHA-2
certs...
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
