Bugs item #2825989, was opened at 2009-07-23 15:45
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2825989&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: new feature request
>Status: Closed
>Resolution: Fixed
Priority: 6
Private: No
Submitted By: koresh (koresh)
Assigned to: Daniel Stenberg (bagder)
Summary: curl refuses sha-2 signed certificates
Initial Comment:
Due to recent problems with MD5 and SHA-1 message digests, we have been experimenting with X.509 certificates that are signed using SHA-2 digests. This generally works fine with existing SSL protocols and connections. However for OpenSSL support an additional initialisation call is required. If OpenSSL_add_all_digests() or OpenSSL_add_all_algorithms() would be called upon initialisation, then everything will work just fine. Unfortunately the curl command-line application calls SSLeay_add_ssl_algorithms() instead, which in the latest stable OpenSSL release does not yet include SHA-2 signature support. If would be nice if this were added in future curl releases.
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2009-07-26 19:33
Message:
Thanks for the report, this problem is now fixed in CVS!
----------------------------------------------------------------------
Comment By: koresh (koresh)
Date: 2009-07-23 22:17
Message:
It seems that OpenSSL_add_all_digests() was introduced in 0.9.5 (that's 9
years ago), older versions indeed use SSLeay_add_all_digests().
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2009-07-23 22:06
Message:
Ah, nice find! But I wonder from what OpenSSL version that function is
provided. I guess we better add a configure check for it, and use the
SSLeay one for those who don't seem to have the OpenSSL_* one.
----------------------------------------------------------------------
Comment By: koresh (koresh)
Date: 2009-07-23 16:37
Message:
I have set up a site to reproduce this. First get the public certificate,
then try secure access:
$ curl -k -o sha2-pub.pem https://sha2.gletsjer.net/sha2-pub.pem
$ curl --cacert sha2-pub.pem https://sha2.gletsjer.net/
curl: (35) error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest algorithm
When the mentioned patch is applied, this error disappears.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2825989&group_id=976
Received on 2009-07-26