Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Are SHA-2 and SHA-3 supported with newer OpenSSL versions?

767 views
Skip to first unread message

Mark Reynolds

unread,
Apr 29, 2016, 6:30:19 AM4/29/16
to

Hi All,

In response to an earlier question of mine asking for clarification of whether AES 128 was supported Bill Fenner said:

AES128 support is described in RFC3826, and SHA2 support is described in RFC7630.

...

Yes, when the tools refer to AES, they are referring to AES as described in RFC3826.

 

>Is it the case that SHA1 and MD5 are the only supported hash algorithms?

Yes, the algorithms from RFC3414

 

4 days later Wes Hardaker kindly volunteered to implement the newer SHA versions.

 

Looking in the changelog I spotted SHA 2 and 3 seem to be supported. There's a mention in a changelog entry for 5.7.3.pre5:

 

commit 7ecfd3ede19e9c2218c9bf5959c095ce9fa6c8ab

Author: Brian Sipos <bsip...@users.sourceforge.net>

Date:   Wed Aug 6 10:30:54 2014 -0700

 

    Fix detection of sha224 and sha384, patch from Brian Sipos

   

    https://sourceforge.net/p/net-snmp/bugs/2564/

   

    Luckily nobody's needed to build using an OpenSSL version

    that doesn't support sha224 or sha384, since the inversion

    of the test here would try to use sha224/sha384 support only

    on OpenSSL versions that don't support them!

 

OpenSSL looks to have supported SHA2 since 0.9.8o:

 

Changes between 0.9.8n and 0.9.8o [01 Jun 2010]

 

  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after

  OpenSSL 1.0.0.]

 

  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more

     common in certificates and some applications which only call

     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.

     [Steve Henson]

 

https://www.openssl.org/news/cl098.txt

 

The readme in snmplib/openssl says:

This directory contains modified crypto code from OpenSSL 1.0.0.beta5.

 

It therefore seems that only SHA1 and MD5 are supported when compiling using the --with-openssl=internal flag but it seems SHA2 and 3 would be supported when compiling with a newer OpenSSL version?

 

If my understanding is correct and this is the case I think it'd provide a useful footnote to the Strong Authentication or Encryption wiki page.

 

 

Thanks,

Mark


***** Email confidentiality notice *****
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Insider Technologies Limited is a company registered in England and Wales (Company Number: 2352867) and its registered office is at: Spinnaker Court, Chandlers Point, 37 Broadway, Salford Quays, MANCHESTER, United Kingdom, M50 2YR
0 new messages