http://cvs.openssl.org/chngview?cn=19536

  -SSL_library_init() only registers ciphers. Another important initialization
  -is the seeding of the PRNG (Pseudo Random Number Generator), which has to
  -be performed separately.
  +SSL_library_init() mainly adds ciphers and digests used directly by SSL/TLS.
  +In some cases this is not sufficient and errors about unknown algorithms
  +will occur: for example when an attempt is made to use a certificate using
  +SHA256. This can be resolved by also calling OpenSSL_add_all_algorithms().

I find the last two sentences a bit confusing.

Are certificates that use SHA-2 digests conformant with TLS 1.0 (AFAIK
OpenSSL does not support TLS 1.1 or later)?

If such certificates are valid, should not SHA-2 digests be initialized
by SSL_library_init()?

If such certificates are not valid with TLS 1.0, which applications need
to worry about SHA-2 and OpenSSL_add_all_algorithms()?

Postfix only calls SSL_library_init(), with the expectation that
everything required for interoperable TLS/SSL support will be initialized
via this call without resort to OpenSSL_add_all_algorithms(), is this
the wrong expectation? Specifically, I would expect that SHA-2 will
automatically be initialized as soon as OpenSSL implements support for
a version of the protocol in which SHA-2 certificate signatures are valid.

If TLS 1.0 is such a protocol version, then I would expect
SSL_library_init() to initialize SHA-2 message digests.

Has the guidance to developers who use OpenSSL for TLS/SSL rather than
as general-purpose cryptography toolkit changed wrt. library initialization?

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to