Hi Stephen, Maarten,
Writing out both hashes is actually the *default behaviour* of fetch-crl3
*provided* the openssl version used by fetch-crl is 1.0.0 or above.
This is the case on RHEL6 and above, for instance.
On the command line, type:
/usr/bin/openssl version
and if it says "1.0.x" you should have been fine. If you see 1.0.0 and
still lack dual hash, read on.
If your system default openssl is too old, install another instance
and set the openssl command used by fetch-crl to point to this new 1.0.0
binary, for example in the config file /etc/fetch-crl.conf:
openssl=/usr/local/bin/openssl1
Also, make sure the default fetch-crl output formats have not been re-set
to something different than the default. Look out for config options "formats"
(when set, this should include "openssl"), and "opensslmode" (if set, it must
be set to "dual").
The options described above are available in all versions of fetch-crl3.
Cheers,
DavidG.
PS: if you only have openssl 0.9.x, no amount of tweaking can make fetch-crl
write out the new hash, since calculating it ab initio is rather complex and
the old hash cannot be transformed to the new one. The old 0.9.x one is
the first 8 nibbles of the MD5 sum of the binary name encoding, whereas the
new 1.x one is (again!) 8 nibbles of the SHA1 sum of the canonical name
encoding of the certificate subject name.
On 2013-04-23 23:33, [log in to unmask] wrote:
> Hi Steve,
>
>>> different versions of openssl (0.9.x vs. 1.0.y) create different hashes,
>>> and fetch-crl just uses the openssl that happens to be installed.
>>
>> Yes; but fetch-crl could do more work. The other .r0 name (i.e the one that
>> is not installed by fetch-crl) is given to us within the CA rpm itself.
>> Both .0 files are present, so we can infer the stem of both .r0 files,
>> [...]
>> John Kewley has told me that newer openssls can make either version of the
>> hashes.
>
> OK, I suppose fetch-crl could be adapted for one of those methods indeed.
> CC David Groep...
>
--
David Groep
** Nikhef, Dutch National Institute for Sub-atomic Physics,PDP/Grid group **
** Room: H1.50 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
|