Updating SSL keys on fedoraproject.org 2011-03-10
Elio Maldonado
emaldona at redhat.com
Fri Mar 11 20:57:38 UTC 2011
On 03/11/2011 12:18 PM, Chris Adams wrote:
> Once upon a time, Ralf Ertzinger<fedora at camperquake.de> said:
>> this document is about a quite special case (regarding lawfully binding
>> digital signatures) and not about SSL in general.
> I took a short look at software support for other SSL hashes:
>
> - OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating
> a signing request or signing a cert
>
> - NSS: certutil doesn't seem to offer the option to set the digest (I
> didn't see one in -H output and there's no man/info page)
By the way, man pages for the nss tools are in development
https://bugzilla.redhat.com/show_bug.cgi?id=606020#c3
as you can see, they still need a lot of work
> - GnuTLS: certtool supports up to SHA512 for signing, although it only
> used SHA-1 for a signing request (it appeared to ignore the --hash
> option when generating a request)
>
> Once I had a SHA512 signed cert, OpenSSL recognized it and recognized
> the SHA512 signature. It looks like NSS can't just look at cert PEM
> file; you have to create a cert database and import the cert; I did
> that, and it didn't give an error, but I didn't see a way to be
> "verbose" about it to see that it actually recognized the signature
> algorithm.
>
> This was all on F14. I tried a few RHEL servers as well; on RHEL 4,
> OpenSSL did not recognize the signature algorithm (RHEL 5/6 did).
>
> I didn't try to set up Apache with a SHA512 cert to see what browsers
> recognized it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6018 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110311/59dd00a1/attachment.bin
More information about the devel
mailing list