Re: [exim-dev] [Bug 1170] SSL fingerprint should be made acc…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1170] SSL fingerprint should be made accessible
On Thu, May 08, 2014 at 03:35:42PM +0100, Jeremy Harris wrote:

> Both GnuTLS and OpenSSL have suitable entrypoints:
>
>     gnutls_x509_crt_get_fingerprint()
>     X509_digest()

>
> Do we need stronger hash methods also?


At least in OpenSSL (and likely the corresponding GnuTLS function,
but I have not looked) X509_digest() function takes a digest
algorithm parameter. There is not reason to not offer the user
a choice of algorithm.

Postfix also makes the public key (SPKI) digest available for access
checks (same digest algorithm).

-- 
    Viktor.