On 03/11/2011 12:18 PM, Chris Adams wrote:
Once upon a time, Ralf Ertzinger<fedora@xxxxxxxxxxxxxx> said:this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.I took a short look at software support for other SSL hashes: - OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating a signing request or signing a cert - NSS: certutil doesn't seem to offer the option to set the digest (I didn't see one in -H output and there's no man/info page)
By the way, man pages for the nss tools are in development https://bugzilla.redhat.com/show_bug.cgi?id=606020#c3 as you can see, they still need a lot of work
- GnuTLS: certtool supports up to SHA512 for signing, although it only used SHA-1 for a signing request (it appeared to ignore the --hash option when generating a request) Once I had a SHA512 signed cert, OpenSSL recognized it and recognized the SHA512 signature. It looks like NSS can't just look at cert PEM file; you have to create a cert database and import the cert; I did that, and it didn't give an error, but I didn't see a way to be "verbose" about it to see that it actually recognized the signature algorithm. This was all on F14. I tried a few RHEL servers as well; on RHEL 4, OpenSSL did not recognize the signature algorithm (RHEL 5/6 did). I didn't try to set up Apache with a SHA512 cert to see what browsers recognized it.
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
