[openssl-users] SMIME signing with SHA1

Harald Koch root at c-works.net
Tue Nov 22 22:39:12 UTC 2016


Hello, 
> Am 22.11.2016 um 23:25 schrieb Dr. Stephen Henson <steve at openssl.org>:
> 
> On Tue, Nov 22, 2016, Harald Koch wrote:
> 
>> Hello,
>> 
>> I???m facing a critical situation in my application when creating a signed SMIME message using SHA1 as message digest algorithm. In openSSL 1.0.2 (i.e. 1.0.2h), the following command worked as expected:
>> 
>> /opt/openssl-1.0.2h/bin/openssl smime -sign -in original_message -signer cert_key.pem -md sha1
>> 
>> The message output contains a header using sha1:
>> 
>> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="??????7E9FFA1842442B7192D83A53D8D35C89"
>> 
>> 
>> With openSSL 1.1.0c, I get a segmentation fault with the same command. Using md5 or sha256 (or even not providing the parameter ???-md???, resultig in sha256) the command works as expected. Trying to determine where the segmentation fault happen, I used my C program to step through every function call, it turns out that ???SMIME_write_PKCS7??? seems to be the critical point.
>> 
>> I???m sure I???m using the correct LD_LIBRARY_PATH environment variable value for every test in Linux. The platforms I tested are Linux 32bit & 64bit, Mac OS 10.12.1. 
>> 
> 
> It's a bug in OpenSSL 1.1.0. Fix is:
> 
> https://github.com/openssl/openssl/pull/1985
Thank you very much for your fast response, we will wait for the next release to have this issue fixed. Thank you for your work making the world a better place!

Harald


More information about the openssl-users mailing list