Greg Troxel <gdt%ir.bbn.com@localhost> writes: > Some colleagues have been finding that "openssl x509 -hash" produces > different results on netbsd-5 vs -current (late 2011). The results are > consistent between i386/amd64. > > (The hashes are used as symlinks in a CA directory to allow finding > trust anchor CA certs; we are using a private CA.) > > 1) Is anyone else seeing this? > > 2) Is there a notion that these hashes are meant to be computed/used on > a single machine, or are they meant to be broadly portable? The man > page doesn't explain this very well. It seems that openssl has changed the certificate hash algorithm from md5 to sha1, and the man page even hints at this: http://www.openssl.org/docs/apps/x509.html This is really about openssl and not a NetBSD-specific issue, but people who have symlinks in CA directories will find that on upgrading that validation fails. I can't find this explained in upstream's NEWS or Changelog.
Attachment:
pgpy7yKW8Yynh.pgp
Description: PGP signature