Bug 1175904 - Does RHEL 5 openssl-0.9.8e* support SHA-2?
Summary: Does RHEL 5 openssl-0.9.8e* support SHA-2?
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl
Version: 5.11
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-18 20:50 UTC by Bryan Totty
Modified: 2019-02-15 13:57 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-19 08:07:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Bryan Totty 2014-12-18 20:50:03 UTC 
Description of problem:

Does RHEL 5 openssl-0.9.8e* support SHA-2?

I have found it difficult to find exactly what level of support RHEL 5's openssl-0.9.8* has for SHA-2

I have heard that:

"RHEL5 openssl does not support SHA2-based ciphers.

It does support the generation of sha256 hashes, and also sha256 when use in items like certificate key signatures"

Can we get further elaboration and documentation on exactly openssl-0.9.8e does and does not support in reference to SHA-2?


Version-Release number of selected component (if applicable):

openssl-0.9.8e


Reference:


I see that there was a change here:

https://www.openssl.org/news/openssl-0.9.8-notes.html

------------------------------------------------------------------
Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:

    Fix for security issue CVE-2010-0742.
    Various DTLS fixes.
    Recognise SHA2 certificates if only SSL algorithms added. <<<<<<<<<<
    Fix for no-rc4 compilation.
    Chil ENGINE unload workaround. 
------------------------------------------------------------------

But I can see:

------------------------------------------------------------------
# man openssl

...
      dgst      Message Digest Calculation.
...
   MESSAGE DIGEST COMMANDS
       md2       MD2 Digest

       md5       MD5 Digest

       mdc2      MDC2 Digest

       rmd160    RMD-160 Digest

       sha       SHA Digest

       sha1      SHA-1 Digest

       sha224    SHA-224 Digest

       sha256    SHA-256 Digest

       sha384    SHA-384 Digest

       sha512    SHA-512 Digest
------------------------------------------------------------------

rhel5 ~]# openssl list-cipher-commands | grep -i sha | wc -l
0

rhel5 ~]# openssl list-message-digest-commands | grep -i sha
sha
sha1

http://en.wikipedia.org/wiki/SHA-2
Comment 1 Tomas Mraz 2014-12-19 08:07:16 UTC 
The patch above is present in our packages. Basically there is full support for SHA-2 algorithms including X509 certificates except for TLS ciphersuites because the SHA-2 support in TLS ciphersuites is present in TLS 1.2 only which is not available in RHEL-5 OpenSSL.

Of course the defaults for generating new certificates do not use SHA-2 because that was changed in later RHEL releases only. There is no problem with locally changing the default in openssl.conf by the system administrator though.

I am closing the bug as NOTABUG, feel free to reopen and reassign to appropriate documentation component if you think this comment is not sufficient. Although I think that simple KBase article should be sufficient.
Note You need to log in before you can comment on or make changes to this bug.