Question regarding openssl program to compute the hashes and finger-prints.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding openssl program to compute the hashes and finger-prints.

Khadija Amin (khamin)
Hello All ,

I have a question regarding c_rehash utility used to  create symbolic links to files named by the hash values.
I understand that c_rehash calls openssl to compute the hash by invoking the following command :

$OPENSSL x509 -hash -fingerprint -noout -in $file

What I noticed, recent openssl versions(1.0) are producing hash that is different from the earlier openssl versions (0.9.8u). Has the hash algorithm that the above command uses has changed ? (for e.g : from md5 to sha1??). Is it possible to specify the hash algorithm explictly in the above command so that I can have both versions of openssl create the same .0 file ?

Any pointers are greatly appreciated as this is affecting back compatibility of my application.

Thank you.
Khadija
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding openssl program to compute the hashes and finger-prints.

Jakob Bohm-7
On 5/14/2013 8:33 AM, Khadija Amin (khamin) wrote:

> Hello All ,
>
> I have a question regarding c_rehash utility used to  create symbolic
> links to files named by the hash values.
> I understand that c_rehash calls openssl to compute the hash by invoking
> the following command :
>
> $OPENSSL x509 -hash -fingerprint -noout -in $file
>
> What I noticed, recent openssl versions(1.0) are producing hash that is
> different from the earlier openssl versions (0.9.8u). Has the hash
> algorithm that the above command uses has changed ? (for e.g : from md5
> to sha1??). Is it possible to specify the hash algorithm explictly in
> the above command so that I can have both versions of openssl create the
> same .0 file ?
>
> Any pointers are greatly appreciated as this is affecting back
> compatibility of my application.
>

The hash produced by c_rehash matches what the OpenSSL certificate
validation code in the same version of OpenSSL will look for.

In OpenSSL 1.0, two changes were made to the hashes (according to the
CHANGES file in the source bundles):
   Enhance the hash format used for certificate directory links. The new
   form uses the canonical encoding (meaning equivalent names will work
   even if they aren't identical) and uses SHA1 instead of MD5. This form
   is incompatible with the older format and as a result c_rehash should
   be used to rebuild symbolic links.
   [Steve Henson]

There is also an option to produce the old hashes for backward
compatibility:

   Add new -subject_hash_old and -issuer_hash_old options to x509
   utility to
   output hashes compatible with older versions of OpenSSL.
   [Willy Weisz <[hidden email]>]

For c_rehash, I think -subject_hash_old is the important one.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding openssl program to compute the hashes and finger-prints.

Khadija Amin (khamin)
In reply to this post by Khadija Amin (khamin)

Re-trying..
From: Microsoft Office User <[hidden email]>
Date: Mon, 13 May 2013 23:34:56 -0700
To: <[hidden email]>
Subject: Question regarding openssl program to compute the hashes and finger-prints.

Hello All ,

I have a question regarding c_rehash utility used to  create symbolic links to files named by the hash values.
I understand that c_rehash calls openssl to compute the hash by invoking the following command :

$OPENSSL x509 -hash -fingerprint -noout -in $file

What I noticed, recent openssl versions(1.0) are producing hash that is different from the earlier openssl versions (0.9.8u). Has the hash algorithm that the above command uses has changed ? (for e.g : from md5 to sha1??). Is it possible to specify the hash algorithm explictly in the above command so that I can have both versions of openssl create the same .0 file ?

Any pointers are greatly appreciated as this is affecting back compatibility of my application.

Thank you.
Khadija
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding openssl program to compute the hashes and finger-prints.

Stan Joyner
Per this web page the hash algorithm did change if I understand your question correctly.

http://www.openssl.org/docs/apps/x509.html

I think c_rehash uses -subject_hash as the option. These options allow you to use the old hash from the command line. Don't know how to get c_rehash to do this.

-subject_hash_old

outputs the ``hash'' of the certificate subject name using the older algorithm as used by OpenSSL versions before 1.0.0.

-issuer_hash_old

outputs the ``hash'' of the certificate issuer name using the older algorithm as used by OpenSSL versions before 1.0.0.




On Mon, May 20, 2013 at 4:42 PM, Khadija Amin (khamin) <[hidden email]> wrote:

Re-trying..
From: Microsoft Office User <[hidden email]>
Date: Mon, 13 May 2013 23:34:56 -0700
To: <[hidden email]>
Subject: Question regarding openssl program to compute the hashes and finger-prints.

Hello All ,

I have a question regarding c_rehash utility used to  create symbolic links to files named by the hash values.
I understand that c_rehash calls openssl to compute the hash by invoking the following command :

$OPENSSL x509 -hash -fingerprint -noout -in $file

What I noticed, recent openssl versions(1.0) are producing hash that is different from the earlier openssl versions (0.9.8u). Has the hash algorithm that the above command uses has changed ? (for e.g : from md5 to sha1??). Is it possible to specify the hash algorithm explictly in the above command so that I can have both versions of openssl create the same .0 file ?

Any pointers are greatly appreciated as this is affecting back compatibility of my application.

Thank you.
Khadija

Reply | Threaded
Open this post in threaded view
|

RE: Question regarding openssl program to compute the hashes and finger-prints.

J. J. Farrell-2
In reply to this post by Khadija Amin (khamin)

Jakob Bohm gave a complete answer a few hours after your original question, see http://openssl.6102.n7.nabble.com/Question-regarding-openssl-program-to-compute-the-hashes-and-finger-prints-tt45095.html#none

 

 

From: Khadija Amin (khamin) [mailto:[hidden email]]
Sent: Monday, May 20, 2013 9:42 PM
To: [hidden email]
Subject: Re: Question regarding openssl program to compute the hashes and finger-prints.

 

 

Re-trying..

From: Microsoft Office User <[hidden email]>
Date: Mon, 13 May 2013 23:34:56 -0700
To: <[hidden email]>
Subject: Question regarding openssl program to compute the hashes and finger-prints.

 

Hello All ,

 

I have a question regarding c_rehash utility used to  create symbolic links to files named by the hash values.

I understand that c_rehash calls openssl to compute the hash by invoking the following command :

 

$OPENSSL x509 -hash -fingerprint -noout -in $file

 

What I noticed, recent openssl versions(1.0) are producing hash that is different from the earlier openssl versions (0.9.8u). Has the hash algorithm that the above command uses has changed ? (for e.g : from md5 to sha1??). Is it possible to specify the hash algorithm explictly in the above command so that I can have both versions of openssl create the same .0 file ?

 

Any pointers are greatly appreciated as this is affecting back compatibility of my application.

 

Thank you.

Khadija