Updating SSL keys on fedoraproject.org 2011-03-10
Petr Pisar
ppisar at redhat.com
Mon Mar 14 15:52:01 UTC 2011
On 2011-03-11, Chris Adams <cmadams at hiwaay.net> wrote:
> Once upon a time, Ralf Ertzinger <fedora at camperquake.de> said:
>> this document is about a quite special case (regarding lawfully binding
>> digital signatures) and not about SSL in general.
>
> I took a short look at software support for other SSL hashes:
>
> - OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating
> a signing request or signing a cert
>
Not true:
$ openssl req -newkey rsa:2048 -sha256 -new -utf8 -out test.req
[...]
$ openssl req -noout -text <test.req
Certificate Request:
[...]
Signature Algorithm: sha256WithRSAEncryption
The openssl FOO usage output is out-dated. You need to reuse options
from other subcommands (e.g. openssl dgst -h).
> - NSS: certutil doesn't seem to offer the option to set the digest (I
> didn't see one in -H output and there's no man/info page)
>
NSS is under-documented. E.g. I could not figure out how to select
a hardware cryptoengine.
> - GnuTLS: certtool supports up to SHA512 for signing, although it only
> used SHA-1 for a signing request (it appeared to ignore the --hash
> option when generating a request)
>
Yes, there is a bug with selecting hash algorithm.
-- Petr
More information about the devel
mailing list