Bug 1175904

Summary: Does RHEL 5 openssl-0.9.8e* support SHA-2?
Product: Red Hat Enterprise Linux 5 Reporter: Bryan Totty <btotty>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.11   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-19 08:07:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bryan Totty 2014-12-18 20:50:03 UTC 
Description of problem:

Does RHEL 5 openssl-0.9.8e* support SHA-2?

I have found it difficult to find exactly what level of support RHEL 5's openssl-0.9.8* has for SHA-2

I have heard that:

"RHEL5 openssl does not support SHA2-based ciphers.

It does support the generation of sha256 hashes, and also sha256 when use in items like certificate key signatures"

Can we get further elaboration and documentation on exactly openssl-0.9.8e does and does not support in reference to SHA-2?


Version-Release number of selected component (if applicable):

openssl-0.9.8e


Reference:


I see that there was a change here:

https://www.openssl.org/news/openssl-0.9.8-notes.html

------------------------------------------------------------------
Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:

    Fix for security issue CVE-2010-0742.
    Various DTLS fixes.
    Recognise SHA2 certificates if only SSL algorithms added. <<<<<<<<<<
    Fix for no-rc4 compilation.
    Chil ENGINE unload workaround. 
------------------------------------------------------------------

But I can see:

------------------------------------------------------------------
# man openssl

...
      dgst      Message Digest Calculation.
...
   MESSAGE DIGEST COMMANDS
       md2       MD2 Digest

       md5       MD5 Digest

       mdc2      MDC2 Digest

       rmd160    RMD-160 Digest

       sha       SHA Digest

       sha1      SHA-1 Digest

       sha224    SHA-224 Digest

       sha256    SHA-256 Digest

       sha384    SHA-384 Digest

       sha512    SHA-512 Digest
------------------------------------------------------------------

rhel5 ~]# openssl list-cipher-commands | grep -i sha | wc -l
0

rhel5 ~]# openssl list-message-digest-commands | grep -i sha
sha
sha1

http://en.wikipedia.org/wiki/SHA-2
Comment 1 Tomas Mraz 2014-12-19 08:07:16 UTC 
The patch above is present in our packages. Basically there is full support for SHA-2 algorithms including X509 certificates except for TLS ciphersuites because the SHA-2 support in TLS ciphersuites is present in TLS 1.2 only which is not available in RHEL-5 OpenSSL.

Of course the defaults for generating new certificates do not use SHA-2 because that was changed in later RHEL releases only. There is no problem with locally changing the default in openssl.conf by the system administrator though.

I am closing the bug as NOTABUG, feel free to reopen and reassign to appropriate documentation component if you think this comment is not sufficient. Although I think that simple KBase article should be sufficient.