Folks,
The approach of the Exim MTA to cryptography is simple -- don't
second-guess the SSL library developers when it comes to choosing which
algorithms/digests/etc to load, and provide a knob
("tls_require_ciphers") for administrators to restrict what can be
loaded. The MTA developers do not want to be in the cryptoanalysis
game, deciding when digests are or are not safe to use and reason that
this is best handled by the SSL libraries which are maintained by people
who understand this stuff better.
There's a pending request, from February 2008, to load SHA-256 in Exim
to let people verify certificates from CAs which have migrated to
SHA-256. http://bugs.exim.org/show_bug.cgi?id=674
When RFC 5246 came out, specifying TLS 1.2 and having all mandated
cipher suites use SHA-256, we assumed that to aid the transition OpenSSL
would add EVL_sha256() to the list of digests initialised in
SSL_library_init(), even before support of TLS 1.2 itself. I've checked
OpenSSL 1.0.0 beta 2 and see that this is still not the case.
I'm seeing usage of SHA-256 become more widespread by CAs today.
Are there plans to add this digest to the list initialised by
SSL_library_init() ?
If not, why not please?
Thanks,
-Phil
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
