From: Carlos V. <car...@ni...> - 2012-04-09 23:54:19
|
> Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256: > > ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717) > : E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported > > However OCSPd is still using sha256 when signing the response: > > [pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm > sha256WithRSAEncryption > > Don't know how to workaround this. Replying to myself.. Attached is a dirty (ugly) patch to OCSP 2.1.1 source code to force reply in sha1 for OCSPd. Better than patching libpki, but not a final solution. Looked into OCSP RFC and it seems that sha1 and sha256 SHALL be supported so I will try to open a TAC Case with Cisco to see it working in IOS. Apart of this patch all seems to be working fine in the OCSP with Cisco. Will be making more tests soon. |