Re: Question regarding openssl program to compute the hashes and finger-prints.

Tue, 14 May 2013 08:43:20 -0700 

On 5/14/2013 8:33 AM, Khadija Amin (khamin) wrote:

Hello All ,

I have a question regarding c_rehash utility used to  create symbolic
links to files named by the hash values.
I understand that c_rehash calls openssl to compute the hash by invoking
the following command :

$OPENSSL x509 -hash -fingerprint -noout -in $file

What I noticed, recent openssl versions(1.0) are producing hash that is
different from the earlier openssl versions (0.9.8u). Has the hash
algorithm that the above command uses has changed ? (for e.g : from md5
to sha1??). Is it possible to specify the hash algorithm explictly in
the above command so that I can have both versions of openssl create the
same .0 file ?

Any pointers are greatly appreciated as this is affecting back
compatibility of my application.



The hash produced by c_rehash matches what the OpenSSL certificate
validation code in the same version of OpenSSL will look for.

In OpenSSL 1.0, two changes were made to the hashes (according to the
CHANGES file in the source bundles):
  Enhance the hash format used for certificate directory links. The new
  form uses the canonical encoding (meaning equivalent names will work
  even if they aren't identical) and uses SHA1 instead of MD5. This form
  is incompatible with the older format and as a result c_rehash should
  be used to rebuild symbolic links.
  [Steve Henson]

There is also an option to produce the old hashes for backward
compatibility:

  Add new -subject_hash_old and -issuer_hash_old options to x509
  utility to
  output hashes compatible with older versions of OpenSSL.
  [Willy Weisz <we...@vcpc.univie.ac.at>]

For c_rehash, I think -subject_hash_old is the important one.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to