Hi, On Mon, Jul 14, 2003 at 09:03:16AM +0200, Michael Bell via RT wrote: > I tried to set sha1 for "openssl ca -gencrl" but it doesn't work. I > checked the source code (0.9.8 and 0.9.7) and found that the req section > in apps/ca.c contains the following lines:
[...] > but the crl area ignores default_md, checks for DSA and EC keys and if > it is an RSA key then it is a MD5. Only -md is checked. Does there be a > special reason why default_md is ignored or is it possible to replace > the following lines: [...] > I never touched this area before so perhaps it is necessary to introduce > ENV_DEFAULT_CRL_MD or do CRLs with sha1 be generally not allowed? Any > comments please? The attached patch works for us. Peter -- Thought is limitation. Free your mind.
use default_md for CRLs too <michael.calmer at suse dot com> --- apps/ca.c +++ apps/ca.c 2004/05/12 09:13:46 @@ -1402,7 +1402,8 @@ /* we now have a CRL */ if (verbose) BIO_printf(bio_err,"signing CRL\n"); - if (md != NULL) + if ((md != NULL) || ((md=NCONF_get_string(conf, + section,ENV_DEFAULT_MD)) != NULL)) { if ((dgst=EVP_get_digestbyname(md)) == NULL) {
pgpxFsedKf9CH.pgp
Description: PGP signature