http://cvs.openssl.org/chngview?cn=19536
-SSL_library_init() only registers ciphers. Another important initialization -is the seeding of the PRNG (Pseudo Random Number Generator), which has to -be performed separately. +SSL_library_init() mainly adds ciphers and digests used directly by SSL/TLS. +In some cases this is not sufficient and errors about unknown algorithms +will occur: for example when an attempt is made to use a certificate using +SHA256. This can be resolved by also calling OpenSSL_add_all_algorithms(). I find the last two sentences a bit confusing. Are certificates that use SHA-2 digests conformant with TLS 1.0 (AFAIK OpenSSL does not support TLS 1.1 or later)? If such certificates are valid, should not SHA-2 digests be initialized by SSL_library_init()? If such certificates are not valid with TLS 1.0, which applications need to worry about SHA-2 and OpenSSL_add_all_algorithms()? Postfix only calls SSL_library_init(), with the expectation that everything required for interoperable TLS/SSL support will be initialized via this call without resort to OpenSSL_add_all_algorithms(), is this the wrong expectation? Specifically, I would expect that SHA-2 will automatically be initialized as soon as OpenSSL implements support for a version of the protocol in which SHA-2 certificate signatures are valid. If TLS 1.0 is such a protocol version, then I would expect SSL_library_init() to initialize SHA-2 message digests. Has the guidance to developers who use OpenSSL for TLS/SSL rather than as general-purpose cryptography toolkit changed wrt. library initialization? -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org