tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: openssl x509 -hash

Greg Troxel <> writes:

> Some colleagues have been finding that "openssl x509 -hash" produces
> different results on netbsd-5 vs -current (late 2011).  The results are
> consistent between i386/amd64.
> (The hashes are used as symlinks in a CA directory to allow finding
> trust anchor CA certs; we are using a private CA.)
> 1) Is anyone else seeing this?
> 2) Is there a notion that these hashes are meant to be computed/used on
> a single machine, or are they meant to be broadly portable?  The man
> page doesn't explain this very well.

It seems that openssl has changed the certificate hash algorithm from
md5 to sha1, and the man page even hints at this:

This is really about openssl and not a NetBSD-specific issue, but people
who have symlinks in CA directories will find that on upgrading that
validation fails.

I can't find this explained in upstream's NEWS or Changelog.

Attachment: pgpy7yKW8Yynh.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index