#848 curl refuses sha-2 signed certificates

closed-fixed
SSL/TLS (29)
6
2014-08-18
2009-07-23
Johan S
No

Due to recent problems with MD5 and SHA-1 message digests, we have been experimenting with X.509 certificates that are signed using SHA-2 digests. This generally works fine with existing SSL protocols and connections. However for OpenSSL support an additional initialisation call is required. If OpenSSL_add_all_digests() or OpenSSL_add_all_algorithms() would be called upon initialisation, then everything will work just fine. Unfortunately the curl command-line application calls SSLeay_add_ssl_algorithms() instead, which in the latest stable OpenSSL release does not yet include SHA-2 signature support. If would be nice if this were added in future curl releases.

Discussion

  • Johan S
    Johan S
    2009-07-23

    I have set up a site to reproduce this. First get the public certificate, then try secure access:
    $ curl -k -o sha2-pub.pem https://sha2.gletsjer.net/sha2-pub.pem
    $ curl --cacert sha2-pub.pem https://sha2.gletsjer.net/
    curl: (35) error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

    When the mentioned patch is applied, this error disappears.

     
  • Johan S
    Johan S
    2009-07-23

    OpenSSL initialisation patch

     
    Attachments
    • priority: 5 --> 6
     
  • Ah, nice find! But I wonder from what OpenSSL version that function is provided. I guess we better add a configure check for it, and use the SSLeay one for those who don't seem to have the OpenSSL_* one.

     
  • Johan S
    Johan S
    2009-07-23

    It seems that OpenSSL_add_all_digests() was introduced in 0.9.5 (that's 9 years ago), older versions indeed use SSLeay_add_all_digests().

     
  • Thanks for the report, this problem is now fixed in CVS!

     
    • status: open --> closed-fixed