From 9e8b6f042749ded556380227c9f2db7ffad9a3aa Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Sat, 12 Dec 2015 19:25:25 -0500 Subject: [PATCH] Use SHA256 not MD5 as default digest. (Documentation update was in the MR but not the commit. Oops.) Reviewed-by: Viktor Dukhovni --- CHANGES | 4 ++++ doc/apps/dgst.pod | 14 ++++++++++++-- doc/apps/enc.pod | 11 ++++++++++- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 7a444266ff..a7833dbd1b 100644 --- a/CHANGES +++ b/CHANGES @@ -210,6 +210,10 @@ *) Added HTTP GET support to the ocsp command. [Rich Salz] + *) Changed default digest for the dgst and enc commands from MD5 to + sha256 + [Rich Salz] + *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. [Matt Caswell] diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod index 1b1a7e17fd..3c68ddd4af 100644 --- a/doc/apps/dgst.pod +++ b/doc/apps/dgst.pod @@ -2,12 +2,12 @@ =head1 NAME -dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 - message digests +dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5 - message digests =head1 SYNOPSIS B B -[B<-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md2|-md4|-md5|-dss1>] +[B<-sha|-sha1|-mdc2|-ripemd160|-sha224|-sha256|-sha384|-sha512|-md4|-md5>] [B<-c>] [B<-d>] [B<-hex>] @@ -36,6 +36,13 @@ The digest functions output the message digest of a supplied file or files in hexadecimal. The digest functions also generate and verify digital signatures using message digests. +The generic name, B, may be used with an option specifying the +algorithm to be used. +The default digest is I. +The digest name may also be used as the command name. +To see the list of supported algorithms, use the +command. + =head1 OPTIONS =over 4 @@ -209,5 +216,8 @@ Hex signatures cannot be verified using B. Instead, use "xxd -r" or similar program to transform the hex signature into a binary signature prior to verification. +=head1 HISTORY + +The default digest was chaned from MD5 to SHA256 in Openssl 1.1. =cut diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 8f7e1cb7f8..bcaa49f54a 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -22,7 +22,7 @@ B [B<-salt>] [B<-nosalt>] [B<-z>] -[B<-md>] +[B<-md digest>] [B<-p>] [B<-P>] [B<-bufsize number>] @@ -97,6 +97,11 @@ read the password to derive the key from the first line of B. This is for compatibility with previous versions of OpenSSL. Superseded by the B<-pass> argument. +=item B<-md digest> + +Use the specified digest to create the key from the passphrase. +The default algorithm is sha-256. + =item B<-nosalt> do not use a salt @@ -329,4 +334,8 @@ The B program only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use RC2 with a 76 bit key or RC4 with an 84 bit key you can't use this program. +=head1 HISTORY + +The default digest was chaned from MD5 to SHA256 in Openssl 1.1. + =cut -- GitLab