[exim-dev] [Bug 674] exim can't verify sha256WithRSAEncrypti…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
Subject: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #22 from Phil Pennock <exim-dev@???> 2009-10-19 01:30:13 ---
Re OPENSSL_NO_SHA256 -- current code within OpenSSL can use it, because current
code can assume that it's defined if SHA256 is not loaded. But it won't be
defined before the potential support was written, so if we need to work with
OpenSSL 0.9.7, which we apparently do, then we can't rely on it being present.

Yes, version numbers are clumsy, but as you note, this is a pragmatic fix, not
an ideal one. Ideally, OpenSSL would define macros asserting the availability
of functions; unavailability assertions are useless for any project depending
on their code (unless they're using 0.9.8 or later), only useful within their
own codebase.

So perhaps it needs to be:
#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
EVP_add_digest(EVP_sha256());
#endif

How ugly.

Re SHA224 -- I think we should either be doing the minimal possible beyond
default load, explicitly for interoperability (so SHA256) or we should be
looking at my original patch, providing the openssl_load_all functionality.
That patch let you load all ciphers, if and only if you also set
tls_require_ciphers. If we're going to go beyond "just the hash algorithm
currently becoming popular", I do think that patch is the better approach.

Pragmatically, we should have openssl_load_all available and irregardless of
that, load SHA256 by default; it's not ideal, but it will reduce mailing-list
burden by making the most common desired setup the default.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email