Thanks. As it turns out I had enabled all digest algorithms and used SHA256 which is probably somewhat of an overkill ...
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Thursday, February 14, 2008 10:55 AM To: openssl-users@openssl.org Subject: Re: Direct trust in server certificate? On Wed, Feb 13, 2008 at 05:06:35PM -0500, Cooper, Andy wrote: > Thank you. I've managed to write code that does fingerprint > verification like you suggested, and it seems to work. Cool. If you are concerned about "second pre-image" attacks on md5, use sha1, if you are also concerned about sha1, you can use sha2 fingerprints, but these are not enabled by default when you enable just the SSL algorithms. You have to enable "all" digest algorithms. See OpenSSL_add_all_digests(3). Despite all the recent progress, I am not aware of effective second pre-image attacks on either md5 or sha1. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
