[openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015

Viktor Dukhovni openssl-users at dukhovni.org
Thu Mar 10 17:14:02 UTC 2016

On Thu, Mar 10, 2016 at 12:58:34PM +0000, Irena Johnson via RT wrote:

> Our clients are having trouble connecting to our GRAM server, which has a
> sha256 host certificate.

The reason for the connection failures may be unrelated to the
certificate signature algorithm.  What specific symptoms lead to
the conclusion that this is the problem?

In OpenSSL 1.0.1 sha256 is enabled by default (via SSL_library_init()
also known as OpenSSL_add_ssl_algorithms()).

> and it appears it's not compatible with sha256 encryption:

This is simply not the case.

> The command "openssl ciphers -v | grep 256" returns nothing.

Not even "AES256" ciphers?  That's rather odd, those have been
around since 0.9.8 IIRC.

And, in any case, this is the wrong test for support for SHA256 in
certificates.  Your problem is with the server certificate, not
the MAC algorithm used in TLS ciphers.

> What version of openssl should they install? Thank you for your help,

The problem is almost certainly elsewhere.  It is of course possible
to build OpenSSL with various algorithms disabled, including
"no-sha256", ... so please report the output of

    $ openssl version -v -p -o -f

and "ldd" output showing the library dependencies of both the "openssl"
command, and your application.

	$ ldd /usr/bin/openssl | egrep 'lib(ssl|crypto)'
	$ ldd /some/executable | egrep 'lib(ssl|crypto)'


More information about the openssl-dev mailing list