[exim-dev] [Bug 674] exim can't verify sha256WithRSAEncrypti…

Top Page
Delete this message
Reply to this message
Author: Jakob Hirsch
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
Subject: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #24 from Jakob Hirsch <jh.exim-bugzilla@???> 2009-10-19 13:17:36 ---
(In reply to comment #22)
> Re OPENSSL_NO_SHA256 -- current code within OpenSSL can use it, because current
> code can assume that it's defined if SHA256 is not loaded. But it won't be
> defined before the potential support was written, so if we need to work with
> OpenSSL 0.9.7, which we apparently do, then we can't rely on it being present.


Um, yeah, sorry, my logic was flawed, of course (occured to me this morning
during brushing teeth).

> Yes, version numbers are clumsy, but as you note, this is a pragmatic fix, not
> an ideal one. Ideally, OpenSSL would define macros asserting the availability
> of functions; unavailability assertions are useless for any project depending
> on their code (unless they're using 0.9.8 or later), only useful within their
> own codebase.


I guess the openssl people just think that everybody is using autoconf. And the
give a hard time to everybody else. All the SHA256 #defines are there even if
OPENSSL_NO_SHA256 is #defined....
EVP_get_digestbyname("sha256") should return the same as EVP_sha256(), but: You
need to run OpenSSL_add_all_digests() before it... this is all very strange.

> So perhaps it needs to be:
> #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
> EVP_add_digest(EVP_sha256());
> #endif


Yes, that would probably be more correct.

> How ugly.


And to make it more ugly, 0.9.7m (and maybe some earlier version) also has
SHA256... don't know how many still use that.

Maybe we should ask the openssl people about this?

Personally, I'd tend to use OpenSSL_add_all_digests() und let the user restrict
the ciphers by an option (and provide a sane default in the sample config).


oh, and btw:

-/* SHA256 is becoming ever moar popular. This makes sure it gets added to the
+/* SHA256 is becoming ever more popular. This makes sure it gets added to the


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email