Add support of SHA256 for SSL fingerprint (SHA1 is deprecated) #281
You probably mean in code which I have no idea, but here is openssl command and result for freenode:
% openssl s_client -connect chat.freenode.net:6697 < /dev/null 2>/dev/null|openssl x509 -fingerprint -sha256 -noout -in /dev/stdin SHA256 Fingerprint=14:11:92:98:3C:A7:A1:7D:47:74:24:83:C8:0E:A0:2F:98:CC:27:AA:AF:AC:07:8C:12:03:45:23:E0:88:A8:76
Why it wouldn't?
I don't understand why.
I think I see what you mean. If I have understood correctly, fingerprint is just hash of certificate and you can use other hashes than the certificate is, so there is no reason to support SHA1. Freenode's certificates appear to be
Yeah, the hashing method is explicitly defined in
/* calculate the SHA1 fingerprint for the certificate */ if (gnutls_x509_crt_get_fingerprint (certificate, GNUTLS_DIG_SHA1, fingerprint_server, &fingerprint_size) != GNUTLS_E_SUCCESS)
So what happens is:
There is no reason why the hashing method couldn't be changed from SHA1 to SHA256. In the transition phase the client could support both SHA1 and SHA256, detecting the hash type from its length.
Also in the case of Freenode you should trust the CA as mentioned in the documentation, setting the fingerprint is unnecessary and dangerous (from the docs):