On Thu, Sep 8, 2016 at 5:54 AM, Jan Just Keijser <janj...@nikhef.nl> wrote:
> > If a fully-patched Windows XP understands SHA2 Authenticode signatures > > then it should not show "Unknown publisher" in "File properties" dialog > > for the installer, executables or libraries. The tap-windows driver is > > still signed with the old key, so that cannot be used to validate the > > signature. > > > > Does anyone have a fully-patched Windows XP system to test the above > > installer on? > > I just tested it in an WinXP VM that should have all patches applied. > The installer failed with "There was a problem installing the TAP > driver". After a reboot the driver was reported missing (error #39) and > I had to do a 'rollback driver' to get the original (NDIS5) driver back. > > Is there a log file I can send you? > > share & enjoy, Although some SHA2 support became available in service pack 3, as per https://support.microsoft.com/en-ca/kb/968730 SHA2 for authenticode signature verification is not supported. Probably this situation never changed even with any of the post-SP3 updates installed. "Changes in Windows XP SP3 Windows XP SP3 implements and supports the SHA2 hashing algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate validation. The changes in the certificate validation are meant to enable the scenario of the SSL/TLS authentication. Other scenarios that involve certificate validation may not work if you use certificates that are secured by using the SHA2 algorithms if the protocols and the applications do not support the SHA2 hashing algorithms. For example, the S/MIME signed e-mail verification and the Authenticode signature verification do not support the SHA2 hashing algorithms on a computer that is running Windows XP SP3 ..."
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
