Hi Carlos, if you could file a bug report, that would be great. On my side, I am thinking about adding an option in the OCSPD configuration file that will force the signatures to use sha1 also when the OCSPD certificate is signed with sha256. I think that would solve, temporarily the problem.
Cheers, Max On 06/16/2011 12:23 PM, Carlos Velasco wrote: > Hello, > >> BUT: we've tracked down that OCSP daemon answer which is signed, may not >> be signed with a hash-size> SHA-1, even with IOS 12.4(15)T or IOS 15. >> When the OCSP answer is signed with SHA-256 from the OCSP daemon, >> the cisco router simply responds with: >> "E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported" > > I really haven't tried it but I have myself filed some bugs in Cisco in > the past about this OCSP part. It seems they use some old code from RSA > that is buggy only for this part. I remember last time I had to file a > bug because this code was not sending Host header in HTTP request > causing OCSP not working when using vhosts, like using an apache reverse > proxy. > > Right now I haven't a setup using OCSP with SHA-256, although planned in > the future. If you have a test setup deployed let me know in private, > maybe I could open a bug in Cisco to solve this there. Although a > workaround should be needed. > > Regards, > Carlos Velasco -- http://member.acm.org/~openca/ Massimiliano Pala, Ph.D. Director, OpenCA Labs Professor, NYU Poly ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
