Does RHEL 5 openssl support SHA-2

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • openssl-0.9.8e-22.el5

Issue

Does RHEL 5 openssl support SHA-2?

Resolution

  • RHEL5 openssl does not support any SHA2-based ciphers.
  • It does support the generation of sha256 hashes, and also RSAwithSHA256 signatures.
  • It does not support the generation of DSAwithSHA256 signatures.

Root Cause

RHEL5 openssl has limited support for SHA2 entities.

Hash digests are supported

Raw
$ openssl dgst --help 2>&1 | grep sha
-sha1           to use the sha1 message digest algorithm
-sha             to use the sha message digest algorithm
-sha224         to use the sha224 message digest algorithm
-sha256         to use the sha256 message digest algorithm
-sha384         to use the sha384 message digest algorithm
-sha512         to use the sha512 message digest algorithm

$ openssl dgst -sha256 /etc/hosts
SHA256(/etc/hosts)= 55444a09183c229ef5dbb2c8f1b641b5eed565e9897e46b7d492df77d58672ab

Generation and validation of certificate signatures using RSAwithSHA256 is also supported.

Raw
$ openssl genrsa -out n.key
Generating RSA private key, 512 bit long modulus
.....................++++++++++++
.......++++++++++++
e is 65537 (0x10001)

$ openssl req -new -subj "/CN=test.example.com/emailAddress=test@example.com" -key n.key -out n.csr -sha256

$ openssl req -in n.csr -noout -text -reqopt no_pubkey
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=test.example.com/emailAddress=test@example.com
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
        84:88:bd:e6:3e:c5:8a:ad:f9:f0:ec:56:88:df:ba:45:ed:48:
        25:0f:4c:61:d0:e6:74:21:6e:6d:b3:64:fc:7f:ca:3b:20:86:
        a9:cd:00:e2:a2:7b:76:a0:33:ec:e6:d2:de:31:d4:af:04:14:
        fb:38:a0:dc:09:57:84:4f:a4:c8

RHEL5 openssl does not support the follows:

  • Signatures using sha256WithDSAEncryption
  • Ciphers with SHA256 digests (ie, DHE-RSA-AES256-SHA256)

The following change log

Raw
* Wed Oct 19 2011 Tomas Mraz <tmraz@redhat.com> 0.9.8e-21
- add known answer test for SHA2 algorithms (#740866)

* Thu  Mar 10 2011 Tomas Mraz <tmraz@redhat.com> 0.9.8e-18
- add SHA-2 hashes in SSL_library_init() (#676384)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments