vijayanand
commented
11 years ago Sure sounds good. I think if we add all the SHA family that would be better.
Open bbockelm opened 11 years ago
vijayanand
commented
11 years ago Sure sounds good. I think if we add all the SHA family that would be better.
okoeroo
commented
11 years ago Adding all doesn't really make sense here...
It's exclusively used to do a file lookup based on the filename being a md5 or sha1 hash of the CAs subject (where the subject lookup part is an IIRC). OpenSSL has moved from md5 to sha1. It doesn't make sense to look for filenames with the hash values of all the possible SHA family options before giving up that the CA files are not installed on disk :-)
Right now, JGlobus will perform a few optimizations based on a hashing algorithm (MD5) used by OpenSSL 0.9.8. The hash optimizations provide a quick-lookup path for a CA's certificate, CRL and signing policy without having to parse all files in a directory. This is especially important for clients as the modern IGTF CA distribution has several hundred files.
However, OpenSSL 1.0.0 switched the hashing algorithm to be based on SHA-1. We should update JGlobus to provide that algorithm, and allow the hash algorithm to be selected at runtime.