[openssl.org #3539] x509 application supports additional fingerprint digests (sha2) not shown in help.

Discussion:

Brian Howson via RT

2014-09-22 07:47:17 UTC

The OpenSSL x509 application supports additional fingerprint digests, but
the help output doesn't show them. The migration to SHA-2 signed x509
Digital Certificates has added interest in using sha2 rather than sha1.

D:\OpenSSL\openssl-1.0.1i\apps>grep -in "digest to use" x509.c
144:" -md2/-md5/-sha1/-mdc2 - digest to use\n",

Should be:

" -md2/-md5/-sha1/-mdc2/-sha192/-sha224/-sha256/-sha384/-sha512 - digest to
use\n",

Brian Howson
***@gmail.com

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Rich Salz via RT

2014-09-22 14:38:02 UTC

Permalink

This is fixed post-1.0.2, where the message says "any supported digest"
See https://github.com/akamai/openssl/tree/rsalz-monolith for a preview.

--
Rich Salz, OpenSSL dev team; ***@openssl.org

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Stefan.Neis@t-online.de via RT

2014-09-24 16:14:26 UTC

Permalink

Hi,

Post by Rich Salz via RT
This is fixed post-1.0.2, where the message says "any supported digest"
See https://github.com/akamai/openssl/tree/rsalz-monolith for a preview.

Sorry to say something you apparently don't want to hear (for completely
understandable reasons), but as much as I appreciate getting (quite a lot
of) changes and improvements to documentation and online help
(according to the messages I've read on openssl-dev in the past months),
I really wonder if postponing (almost?) all of them to post-1.0.2 (i.e.
probably for another year or more) really is appropriate.
Most of them don't correspond to code changes that are in post-1.0.2, but
really are relevant for current versions as well, aren't they? So, IMHO it would
be really helpful to have those updates at least in 1.0.2 or even in the next
release of the 1.0.1 branch.

Anyway, thanks a lot for all your work on this, no matter when the benefits
are going to arrive over here.

Regards,
Stefan

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org

Salz, Rich

2014-09-24 16:30:17 UTC

Permalink

I understand your frustration. We've fixed bugs and added some features in 1.0.2; 'git log apps' will show many entries. Yes, not everything. We're also hoping to have more frequent releases so hopefully the wait won't be as long. And once we clean up some things, my branch will get merged into master, so it will be easier to pick up and use. And since's it's the command-line, and not the TLS implementation, hopefully it will be easier for folks to adopt just that.

This doesn't fully address your issue, but maybe it helps a bit.

--
Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me Twitter: RichSalz
��H��7��m��
)z{,�� ޖ�fz{Lj)b��)z{,�ׯ��h�