http://cvs.openssl.org/chngview?cn=19536
-SSL_library_init() only registers ciphers. Another important initialization
-is the seeding of the PRNG (Pseudo Random Number Generator), which has to
-be performed separately.
+SSL_library_init() mainly adds ciphers and digests used directly by SSL/TLS.
+In some cases this is not sufficient and errors about unknown algorithms
+will occur: for example when an attempt is made to use a certificate using
+SHA256. This can be resolved by also calling OpenSSL_add_all_algorithms().
I find the last two sentences a bit confusing.
Are certificates that use SHA-2 digests conformant with TLS 1.0 (AFAIK
OpenSSL does not support TLS 1.1 or later)?
If such certificates are valid, should not SHA-2 digests be initialized
by SSL_library_init()?
If such certificates are not valid with TLS 1.0, which applications need
to worry about SHA-2 and OpenSSL_add_all_algorithms()?
Postfix only calls SSL_library_init(), with the expectation that
everything required for interoperable TLS/SSL support will be initialized
via this call without resort to OpenSSL_add_all_algorithms(), is this
the wrong expectation? Specifically, I would expect that SHA-2 will
automatically be initialized as soon as OpenSSL implements support for
a version of the protocol in which SHA-2 certificate signatures are valid.
If TLS 1.0 is such a protocol version, then I would expect
SSL_library_init() to initialize SHA-2 message digests.
Has the guidance to developers who use OpenSSL for TLS/SSL rather than
as general-purpose cryptography toolkit changed wrt. library initialization?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
