Opened 8 years ago

Closed 8 years ago

#675 closed Bug / Defect (fixed)

tls_digest alternative with stronger hash

Reported by: lmamane Owned by: Steffan Karger
Priority: major Milestone: beta 2.4
Component: Generic / unclassified Version: OpenVPN 2.3.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


when running the tls-verify script, the SHA-1 digests of the certificates are set in the tls_digest_{n} environment variables. Given the deprecation of SHA-1, please provide extra variable with stronger hashes. E.g.:



Change History (5)

comment:1 Changed 8 years ago by Gert Döring

Owner: set to Steffan Karger
Status: newassigned

comment:2 Changed 8 years ago by Gert Döring

@syzzer: is that something real, or just "bad algorithm! sit!" hysteria?

comment:3 Changed 8 years ago by Steffan Karger

Milestone: beta 2.4
Status: assignedaccepted

These are fingerprints, and fingerprints have to be collision resistant. So yes, we should indeed add stronger digests. I'm putting this on the list for 2.4.

comment:4 Changed 8 years ago by Steffan Karger

For reference, I sent a patch for this to the list back in May '16, which is awaiting review:

comment:5 Changed 8 years ago by David Sommerseth

Resolution: fixed
Status: acceptedclosed

Currently we do not see any clear security benefits of providing SHA512. But we do provide SHA256 with the patch below.

commit af1e4d26ab65bd71de168ea621ca55d0e40a0bc1
Author: Steffan Karger <>
Date:   Thu May 5 22:14:07 2016 +0200

    Add SHA256 fingerprint support
    Add SHA256 fingerprint support for both the normal exported fingerprints
    (tls_digest_n -> tls_digest_sha256_n), as well as for --x509-track.
    Also switch to using the SHA256 fingerprint instead of the SHA1 fingerprint
    internally, in cert_hash_remember() / cert_hash_compare().  And instead of
    updating an #if 0'd code block that has been disabled since 2009, just
    remove that.
    This should take care of trac #675.
    v2: update openvpn.8 accordingly
    [ DS: This commit squashes in the clean-up cert_hash_remember scoping patch,
          as it is highly related and tied to this primary patch ]
    Signed-off-by: Steffan Karger <>
    Acked-by: David Sommerseth <>
    Signed-off-by: David Sommerseth <>
Note: See TracTickets for help on using tickets.