On Mon, Jun 15, 2009 at 5:46 AM, Phil Pennock<openssl-...@spodhuis.org> wrote:
> When RFC 5246 came out, specifying TLS 1.2 and having all mandated > cipher suites use SHA-256, we assumed that to aid the transition OpenSSL > would add EVL_sha256() to the list of digests initialised in > SSL_library_init(), even before support of TLS 1.2 itself. I've checked > OpenSSL 1.0.0 beta 2 and see that this is still not the case. > > I'm seeing usage of SHA-256 become more widespread by CAs today. > > Are there plans to add this digest to the list initialised by > SSL_library_init() ? I think SSL_library_init() is meant to provide just the subset of algorithms needed by the SSL/TLS protocol implementation itself, which currently doesn't include SHA-256. Most applications, however, just call OpenSSL_add_all_algorithms() to get more than that subset. If you'd rather not define more encryption algorithms than needed to cut down some overhead, you should be able to make do with calling SSL_library_init() and OpenSSL_add_all_digests(). Then the hash algorithms available for certificate verification will include SHA-256. Bodo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org