Haxx ad

curl's project page on


cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-2825989 ] curl refuses sha-2 signed certificates

From: <>
Date: Sun, 26 Jul 2009 17:33:53 +0000

Bugs item #2825989, was opened at 2009-07-23 15:45
Message generated for change (Comment added) made by bagder
You can respond by visiting:

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: new feature request
>Status: Closed
>Resolution: Fixed
Priority: 6
Private: No
Submitted By: koresh (koresh)
Assigned to: Daniel Stenberg (bagder)
Summary: curl refuses sha-2 signed certificates

Initial Comment:
Due to recent problems with MD5 and SHA-1 message digests, we have been experimenting with X.509 certificates that are signed using SHA-2 digests. This generally works fine with existing SSL protocols and connections. However for OpenSSL support an additional initialisation call is required. If OpenSSL_add_all_digests() or OpenSSL_add_all_algorithms() would be called upon initialisation, then everything will work just fine. Unfortunately the curl command-line application calls SSLeay_add_ssl_algorithms() instead, which in the latest stable OpenSSL release does not yet include SHA-2 signature support. If would be nice if this were added in future curl releases.


Comment By: Daniel Stenberg (bagder)
Date: 2009-07-26 19:33

Thanks for the report, this problem is now fixed in CVS!


Comment By: koresh (koresh)
Date: 2009-07-23 22:17

It seems that OpenSSL_add_all_digests() was introduced in 0.9.5 (that's 9
years ago), older versions indeed use SSLeay_add_all_digests().


Comment By: Daniel Stenberg (bagder)
Date: 2009-07-23 22:06

Ah, nice find! But I wonder from what OpenSSL version that function is
provided. I guess we better add a configure check for it, and use the
SSLeay one for those who don't seem to have the OpenSSL_* one.


Comment By: koresh (koresh)
Date: 2009-07-23 16:37

I have set up a site to reproduce this. First get the public certificate,
then try secure access:
$ curl -k -o sha2-pub.pem
$ curl --cacert sha2-pub.pem
curl: (35) error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest algorithm

When the mentioned patch is applied, this error disappears.


You can respond by visiting:
Received on 2009-07-26

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET