Folks, The approach of the Exim MTA to cryptography is simple -- don't second-guess the SSL library developers when it comes to choosing which algorithms/digests/etc to load, and provide a knob ("tls_require_ciphers") for administrators to restrict what can be loaded. The MTA developers do not want to be in the cryptoanalysis game, deciding when digests are or are not safe to use and reason that this is best handled by the SSL libraries which are maintained by people who understand this stuff better.
There's a pending request, from February 2008, to load SHA-256 in Exim to let people verify certificates from CAs which have migrated to SHA-256. http://bugs.exim.org/show_bug.cgi?id=674 When RFC 5246 came out, specifying TLS 1.2 and having all mandated cipher suites use SHA-256, we assumed that to aid the transition OpenSSL would add EVL_sha256() to the list of digests initialised in SSL_library_init(), even before support of TLS 1.2 itself. I've checked OpenSSL 1.0.0 beta 2 and see that this is still not the case. I'm seeing usage of SHA-256 become more widespread by CAs today. Are there plans to add this digest to the list initialised by SSL_library_init() ? If not, why not please? Thanks, -Phil ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org