OCSP response signature algorithm

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP response signature algorithm

John Jiang
Hi,
I'm using OpenSSL 1.1.1.

Can I configure the OCSP response signature algorithm?
For a RSA issuer, it looks SHA256withRSA always be selected.

PreferredSignatureAlgorithms extension in OCSP request may affect this algorithm in OpenSSL OCSP response. However, I prefer to use configuration.

Thanks!
Reply | Threaded
Open this post in threaded view
|

RE: OCSP response signature algorithm

paul h. roubekas

unsubscribe openssl-users

 

 

From: openssl-users <[hidden email]> On Behalf Of John Jiang
Sent: Friday, July 3, 2020 12:19 PM
To: openssl-users <[hidden email]>
Subject: OCSP response signature algorithm

 

Hi,

I'm using OpenSSL 1.1.1.

 

Can I configure the OCSP response signature algorithm?

For a RSA issuer, it looks SHA256withRSA always be selected.

 

PreferredSignatureAlgorithms extension in OCSP request may affect this algorithm in OpenSSL OCSP response. However, I prefer to use configuration.

 

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: OCSP response signature algorithm

John Jiang
In reply to this post by John Jiang
I just want to know how does OpenSSL implement RFC 6960 section 4.4.7.2
Responder Signature Algorithm Selection.

Could I take a OpenSSL responder to use SHA1withRSA signature algorithm
if the certificate is signed by this algorithm?


On Sat, Jul 4, 2020 at 12:18 AM John Jiang <[hidden email]> wrote:
Hi,
I'm using OpenSSL 1.1.1.

Can I configure the OCSP response signature algorithm?
For a RSA issuer, it looks SHA256withRSA always be selected.

PreferredSignatureAlgorithms extension in OCSP request may affect this algorithm in OpenSSL OCSP response. However, I prefer to use configuration.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: OCSP response signature algorithm

John Jiang
I just got the OpenSSL ocsp tool option -rmd for specifying the digest
algorithm in signature.

This option is described at the below page,
https://www.openssl.org/docs/manmaster/man1/openssl-ocsp.html

Just out of curiosity, why isn't it at the following man page?
https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
Though this option is supported by 1.1.1 series.

On Mon, Jul 6, 2020 at 6:15 AM John Jiang <[hidden email]> wrote:
I just want to know how does OpenSSL implement RFC 6960 section 4.4.7.2
Responder Signature Algorithm Selection.

Could I take a OpenSSL responder to use SHA1withRSA signature algorithm
if the certificate is signed by this algorithm?


On Sat, Jul 4, 2020 at 12:18 AM John Jiang <[hidden email]> wrote:
Hi,
I'm using OpenSSL 1.1.1.

Can I configure the OCSP response signature algorithm?
For a RSA issuer, it looks SHA256withRSA always be selected.

PreferredSignatureAlgorithms extension in OCSP request may affect this algorithm in OpenSSL OCSP response. However, I prefer to use configuration.

Thanks!