Hi, On Mon, Jul 14, 2003 at 09:03:16AM +0200, Michael Bell via RT wrote: > I tried to set sha1 for "openssl ca -gencrl" but it doesn't work. I > checked the source code (0.9.8 and 0.9.7) and found that the req section > in apps/ca.c contains the following lines:
[...] > but the crl area ignores default_md, checks for DSA and EC keys and if > it is an RSA key then it is a MD5. Only -md is checked. Does there be a > special reason why default_md is ignored or is it possible to replace > the following lines: [...] > I never touched this area before so perhaps it is necessary to introduce > ENV_DEFAULT_CRL_MD or do CRLs with sha1 be generally not allowed? Any > comments please? The attached patch works for us. Peter -- Thought is limitation. Free your mind.
use default_md for CRLs too
<michael.calmer at suse dot com>
--- apps/ca.c
+++ apps/ca.c 2004/05/12 09:13:46
@@ -1402,7 +1402,8 @@
/* we now have a CRL */
if (verbose) BIO_printf(bio_err,"signing CRL\n");
- if (md != NULL)
+ if ((md != NULL) || ((md=NCONF_get_string(conf,
+ section,ENV_DEFAULT_MD)) != NULL))
{
if ((dgst=EVP_get_digestbyname(md)) == NULL)
{
pgpxFsedKf9CH.pgp
Description: PGP signature
