I can't speak for SHA256 in OpenSSL, so I can't help a huge amount on that score. But I can tell you, regarding the root and client key sizes...
Many software apps won't handle roots with keys greater than 4096 bits (older ones choke on anything above 2048). There is at least one class of devices (Cisco ipsec VPN concentrators) that won't work with anything over 1024 bits up the entire chain, including the root. Also, NIST recommends that 1024-bit keys be retired within the next 2 years. -Kyle H On Mon, Dec 15, 2008 at 2:58 AM, Raphael <jr...@jraph.com> wrote: > Hi Henrik, > > Thanks for helping. > > I'm checking for calling OpenSSL_add_all_algorithms() in the sources. > Concerning the ciphers, I don't know either, but all the certificates were > issued using Openssl (and OpenCA 1.0.2) > > I chose to issue a CA certificate with 8192 bits length, may it become a > problem ? > The certificates are 2048 bits long, here is an example: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=FR, O=xxxxx, OU=CA, CN=CA/emailaddress=rese...@xxxxx.fr > Validity > Not Before: Oct 29 09:54:00 2008 GMT > Not After : Dec 7 09:54:00 2035 GMT > Subject: C=FR, O=CAHPP, OU=Users, CN=72571934AA > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (2048 bit) > Modulus (2048 bit): > 00:b8:19:f7:08:a8:24:2e:f2:77:fc:cf:49:fb:2a: > ... > 58:50:87:52:2d:2b:43:98:f7:2f:99:6f:43:e7:be: > 23:b5 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Client, S/MIME > X509v3 Key Usage: > Digital Signature, Non Repudiation, Key Encipherment > X509v3 Extended Key Usage: > TLS Web Client Authentication, E-mail Protection, Microsoft > Smartcardlogin > Netscape Comment: > User Certificate of XXXXX > X509v3 Subject Key Identifier: > 34:03:0A:FB:37:C7:F0:59:16:1D:84:85:FC:18:BA:4C:31:1A:25:E8 > X509v3 Authority Key Identifier: > > keyid:A6:30:F5:FA:A3:88:27:C5:D7:91:AE:91:D4:75:09:28:41:85:D4:C2 > > DirName:/C=FR/O=xxxxx/OU=CA/CN=CA/emailaddress=rese...@xxxxx.fr > serial:F8:DA:53:89:72:B7:DC:B1 > > X509v3 Subject Alternative Name: > email:rese...@xxxxx.fr > X509v3 Issuer Alternative Name: > email:rese...@xxxxx.fr > Netscape CA Revocation Url: > https://ldap.xxxxx.fr/openca2/pub/crl/cacrl.crl > Netscape Revocation Url: > https://ldap.xxxxx.fr/openca2/pub/crl/cacrl.crl > X509v3 CRL Distribution Points: > URI:https://ldap.xxxxx.fr/openca2/pub/crl/cacrl.crl > > Signature Algorithm: sha256WithRSAEncryption > 9d:c6:ef:97:97:4f:ae:23:4c:a2:46:12:83:aa:0a:c8:b9:4a: > ... > 38:42:35:1f:63:69:0b:ed:08:01:56:a7:14:aa:3f:5f > > May it help ? > Raphael > > -----Message d'origine----- > De : Henrik Nordstrom [mailto:hen...@henriknordstrom.net] > Envoyé : dimanche 14 décembre 2008 00:23 > À : Raphael > Cc : squid-us...@squid-cache.org > Objet : Re: [squid-users] TR: [Bulk] Re: [squid-users] Certificate > Validation problem due to Sha 256 message digest > > On Fri, 2008-12-12 at 14:53 +0100, Raphael wrote: > >> I use Openssl 0.9.8i which manages to check the certificate. I am also > able >> to get the sha256 digest of a file : >> openssl dgst -sha256 /root/openssl-0.9.8i.tar.gz >> is working and giving me the message digest. > > That's fine. But the digest algoritm also needs to be in the cipher > suite profile. In the normal openssl cipher suite for SSL only SHA1 is > included. > > I don't know if OpenSSL supports SHA2 in the cipher suites. It does not > look like it from a quick glance (see openssl ciphers command). (0.9.8g) > > Regards > Henrik > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
