Hi, I tried to set sha1 for "openssl ca -gencrl" but it doesn't work. I checked the source code (0.9.8 and 0.9.7) and found that the req section in apps/ca.c contains the following lines:
lines 1012-1017: if ((md == NULL) && ((md=NCONF_get_string(conf, section,ENV_DEFAULT_MD)) == NULL)) { lookup_fail(section,ENV_DEFAULT_MD); goto err; } but the crl area ignores default_md, checks for DSA and EC keys and if it is an RSA key then it is a MD5. Only -md is checked. Does there be a special reason why default_md is ignored or is it possible to replace the following lines: line 1427: dgst=EVP_md5(); A solution could be: if ((md=NCONF_get_string(conf,section,ENV_DEFAULT_MD)) == NULL) { dgst=EVP_md5(); } else { if ((dgst=EVP_get_digestbyname(md)) == NULL) { BIO_printf(bio_err,"%s is an unsupported message digest type\n",md); goto err; } } I never touched this area before so perhaps it is necessary to introduce ENV_DEFAULT_CRL_MD or do CRLs with sha1 be generally not allowed? Any comments please? Best regards Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]