Feature #2765: Allow generation an x509 certificates with an SHA256 signature hash - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #2765

closed

Allow generation an x509 certificates with an SHA256 signature hash

Added by Dim Hatz almost 12 years ago. Updated over 11 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Certificates

Target version:

Start date:

01/19/2013

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

Apparently pfsense's Cert Manager has hard-coded the use of SHA-1 for all PKI operations ("digest_alg" => "sha1" in /etc/inc/certs.inc).

It'd be nice to allow user-selectable digest_alg (options would be sha224/sha256/sha384/sha512), since according to Wiki & NIST "cryptographic weaknesses were discovered in SHA-1 and the standard is no longer approved for most cryptographic uses after 2010".

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Dim Hatz almost 12 years ago

Just quick update:

1) The relevant keyword in openssl.cnf is default_md = sha256 # (md5/sha512/etc)
2) For openssl command-line -sha256 is correct for commandline req including req -x509, and x509 including x509 -req, but not for "openssl ca". ca uses -md sha256.

Actions

Copy link

Updated by Jim Pingle almost 12 years ago

Assignee set to Jim Pingle

I'd hate to hardcode a list, but openssl doesn't appear to have a good way to list the available message digest algorithms in the version we use. "openssl list-message-digest-commands" doesn't contain all the right ones, and "list-message-digest-algorithms" seems to only be in OpenSSL >= 1.0.

Passing an invalid parameter to "openssl dgst" such as "openssl dgst -h" can get one somewhat but it's still would be awkward to parse.

May be better to hardcode in the long run since many of these are probably unsuitable anyhow...


-md5            to use the md5 message digest algorithm (default)
-md4            to use the md4 message digest algorithm
-md2            to use the md2 message digest algorithm
-sha1           to use the sha1 message digest algorithm
-sha            to use the sha message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm
-mdc2           to use the mdc2 message digest algorithm
-ripemd160      to use the ripemd160 message digest algorithm

Actions

Copy link