Description of problem: Does RHEL 5 openssl-0.9.8e* support SHA-2? I have found it difficult to find exactly what level of support RHEL 5's openssl-0.9.8* has for SHA-2 I have heard that: "RHEL5 openssl does not support SHA2-based ciphers. It does support the generation of sha256 hashes, and also sha256 when use in items like certificate key signatures" Can we get further elaboration and documentation on exactly openssl-0.9.8e does and does not support in reference to SHA-2? Version-Release number of selected component (if applicable): openssl-0.9.8e Reference: I see that there was a change here: https://www.openssl.org/news/openssl-0.9.8-notes.html ------------------------------------------------------------------ Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]: Fix for security issue CVE-2010-0742. Various DTLS fixes. Recognise SHA2 certificates if only SSL algorithms added. <<<<<<<<<< Fix for no-rc4 compilation. Chil ENGINE unload workaround. ------------------------------------------------------------------ But I can see: ------------------------------------------------------------------ # man openssl ... dgst Message Digest Calculation. ... MESSAGE DIGEST COMMANDS md2 MD2 Digest md5 MD5 Digest mdc2 MDC2 Digest rmd160 RMD-160 Digest sha SHA Digest sha1 SHA-1 Digest sha224 SHA-224 Digest sha256 SHA-256 Digest sha384 SHA-384 Digest sha512 SHA-512 Digest ------------------------------------------------------------------ rhel5 ~]# openssl list-cipher-commands | grep -i sha | wc -l 0 rhel5 ~]# openssl list-message-digest-commands | grep -i sha sha sha1 http://en.wikipedia.org/wiki/SHA-2
The patch above is present in our packages. Basically there is full support for SHA-2 algorithms including X509 certificates except for TLS ciphersuites because the SHA-2 support in TLS ciphersuites is present in TLS 1.2 only which is not available in RHEL-5 OpenSSL. Of course the defaults for generating new certificates do not use SHA-2 because that was changed in later RHEL releases only. There is no problem with locally changing the default in openssl.conf by the system administrator though. I am closing the bug as NOTABUG, feel free to reopen and reassign to appropriate documentation component if you think this comment is not sufficient. Although I think that simple KBase article should be sufficient.