Craig McGregor wrote:
> I couldn't find a configuration file way of making OpenCA send -sha1 to OpenSSL
> so it would use sha1 for the signature algorithm.
>
> OpenSSL defaults to MD5, although this can be changed by specifiying -sha1 on
> the command-line.
> Patching OpenSSL.pm to send -sha1 to OpenSSL seems to do the trick. (attached).
>
> Since sha1 is theoritically stronger than md5 so I wonder if this should be
> the default for OpenCA, or, is MD5 required for compatibility with early versions
> of Netscape?
>
> Craig.
>
> ------------------------------------------------------------------------
> 305c305
> < my $command = "$self->{shell} req -new ";
> ---
> > my $command = "$self->{shell} req -new -sha1 ";
> 444c444
> < my $command = "$self->{shell} req -x509 ";
> ---
> > my $command = "$self->{shell} req -x509 -sha1 ";
IMO, the default should be for sha-1. There are standards to support this default:
ANSI X9.55, X9.57, ISO 15781
IIRC, research has shown md-5, to be less robust than than its 16bytes would
indicate. I think there were certain conditions under which md-5 results were
predictable. This might make a difference if a substitute certificate were being
created to avoid crl management, especially in the event of compromised private keys.
But this might require changes to the openssl code to establish a sha-1 default.
Best regards,
Bill
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
