[openssl-dev] [openssl.org #4660] error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object
Stephen Henson via RT
rt at openssl.org
Fri Sep 2 16:00:02 UTC 2016
On Sat Aug 27 14:01:11 2016, 1047941314 at qq.com wrote:
> hello:
> i want to use libcurl with openssl, and i build openssl use this
> cmd:
> "perl configure VC-WIN32 no-asm -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi
> -DOPENSSL_CAPIENG_DIALO"
>
>
> when i use curl get url,eg "curl -k https://*.com",return the error:
> error:89070063:lib(137):CAPI_RSA_SIGN:cant create hash object
>
Quick answer: use OpenSSL 1.1.0 . Alternatively disable TLS 1.2 (e.g. curl
command line option) or indicate support only for SHA1+RSA for client signature
algorithms (don't think there is a curl command line option for this).
Long answer: the capi ENGINE in OpenSSL 1.0.2 and earlier uses the CSP attached
to the key for cryptographic operations. Unfortunately this means that SHA2
algorithms are not supported for client authentication.
OpenSSL 1.1.0 adds a workaround for this issue. If you disable TLS 1.2 in
earlier versions of OpenSSL it will not use SHA2 for client auth so that will
also work.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4660
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list