Hi Henrik,
Thanks for helping.
I'm checking for calling OpenSSL_add_all_algorithms() in the sources.
Concerning the ciphers, I don't know either, but all the certificates were
issued using Openssl (and OpenCA 1.0.2)
I chose to issue a CA certificate with 8192 bits length, may it become a
problem ?
The certificates are 2048 bits long, here is an example:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, O=xxxxx, OU=CA, CN=CA/emailaddress=rese...@xxxxx.fr
Validity
Not Before: Oct 29 09:54:00 2008 GMT
Not After : Dec 7 09:54:00 2035 GMT
Subject: C=FR, O=CAHPP, OU=Users, CN=72571934AA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b8:19:f7:08:a8:24:2e:f2:77:fc:cf:49:fb:2a:
...
58:50:87:52:2d:2b:43:98:f7:2f:99:6f:43:e7:be:
23:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft
Smartcardlogin
Netscape Comment:
User Certificate of XXXXX
X509v3 Subject Key Identifier:
34:03:0A:FB:37:C7:F0:59:16:1D:84:85:FC:18:BA:4C:31:1A:25:E8
X509v3 Authority Key Identifier:
keyid:A6:30:F5:FA:A3:88:27:C5:D7:91:AE:91:D4:75:09:28:41:85:D4:C2
DirName:/C=FR/O=xxxxx/OU=CA/CN=CA/emailaddress=rese...@xxxxx.fr
serial:F8:DA:53:89:72:B7:DC:B1
X509v3 Subject Alternative Name:
email:rese...@xxxxx.fr
X509v3 Issuer Alternative Name:
email:rese...@xxxxx.fr
Netscape CA Revocation Url:
https://ldap.xxxxx.fr/openca2/pub/crl/cacrl.crl
Netscape Revocation Url:
https://ldap.xxxxx.fr/openca2/pub/crl/cacrl.crl
X509v3 CRL Distribution Points:
URI:https://ldap.xxxxx.fr/openca2/pub/crl/cacrl.crl
Signature Algorithm: sha256WithRSAEncryption
9d:c6:ef:97:97:4f:ae:23:4c:a2:46:12:83:aa:0a:c8:b9:4a:
...
38:42:35:1f:63:69:0b:ed:08:01:56:a7:14:aa:3f:5f
May it help ?
Raphael
-----Message d'origine-----
De : Henrik Nordstrom [mailto:hen...@henriknordstrom.net]
Envoyé : dimanche 14 décembre 2008 00:23
À : Raphael
Cc : squid-us...@squid-cache.org
Objet : Re: [squid-users] TR: [Bulk] Re: [squid-users] Certificate
Validation problem due to Sha 256 message digest
On Fri, 2008-12-12 at 14:53 +0100, Raphael wrote:
> I use Openssl 0.9.8i which manages to check the certificate. I am also
able
> to get the sha256 digest of a file :
> openssl dgst -sha256 /root/openssl-0.9.8i.tar.gz
> is working and giving me the message digest.
That's fine. But the digest algoritm also needs to be in the cipher
suite profile. In the normal openssl cipher suite for SSL only SHA1 is
included.
I don't know if OpenSSL supports SHA2 in the cipher suites. It does not
look like it from a quick glance (see openssl ciphers command). (0.9.8g)
Regards
Henrik
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
