Greg Troxel | 25 Feb 15:42 2012
Picon

openssl x509 -hash


Some colleagues have been finding that "openssl x509 -hash" produces
different results on netbsd-5 vs -current (late 2011).  The results are
consistent between i386/amd64.

(The hashes are used as symlinks in a CA directory to allow finding
trust anchor CA certs; we are using a private CA.)

1) Is anyone else seeing this?

2) Is there a notion that these hashes are meant to be computed/used on
a single machine, or are they meant to be broadly portable?  The man
page doesn't explain this very well.
Greg Troxel | 27 Feb 21:32 2012
Picon

Re: openssl x509 -hash


Greg Troxel <gdt <at> ir.bbn.com> writes:

> Some colleagues have been finding that "openssl x509 -hash" produces
> different results on netbsd-5 vs -current (late 2011).  The results are
> consistent between i386/amd64.
>
> (The hashes are used as symlinks in a CA directory to allow finding
> trust anchor CA certs; we are using a private CA.)
>
> 1) Is anyone else seeing this?
>
> 2) Is there a notion that these hashes are meant to be computed/used on
> a single machine, or are they meant to be broadly portable?  The man
> page doesn't explain this very well.

It seems that openssl has changed the certificate hash algorithm from
md5 to sha1, and the man page even hints at this:

  http://www.openssl.org/docs/apps/x509.html

This is really about openssl and not a NetBSD-specific issue, but people
who have symlinks in CA directories will find that on upgrading that
validation fails.

I can't find this explained in upstream's NEWS or Changelog.

Gmane