Due to recent problems with MD5 and SHA-1 message digests, we have been experimenting with X.509 certificates that are signed using SHA-2 digests. This generally works fine with existing SSL protocols and connections. However for OpenSSL support an additional initialisation call is required. If OpenSSL_add_all_digests() or OpenSSL_add_all_algorithms() would be called upon initialisation, then everything will work just fine. Unfortunately the curl command-line application calls SSLeay_add_ssl_algorithms() instead, which in the latest stable OpenSSL release does not yet include SHA-2 signature support. If would be nice if this were added in future curl releases.
I have set up a site to reproduce this. First get the public certificate, then try secure access:
$ curl -k -o sha2-pub.pem https://sha2.gletsjer.net/sha2-pub.pem
$ curl --cacert sha2-pub.pem https://sha2.gletsjer.net/
curl: (35) error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
When the mentioned patch is applied, this error disappears.
OpenSSL initialisation patch
Ah, nice find! But I wonder from what OpenSSL version that function is provided. I guess we better add a configure check for it, and use the SSLeay one for those who don't seem to have the OpenSSL_* one.
It seems that OpenSSL_add_all_digests() was introduced in 0.9.5 (that's 9 years ago), older versions indeed use SSLeay_add_all_digests().
Thanks for the report, this problem is now fixed in CVS!