Servers compatibility with SHA256-signed SSL certificates
SHA256 hash algorithm is used for certificates, CSR... signature and guarantee their unicity. It does not intervene in encipherment / authentication process but tools (browsers, email clients, servers...) must be able to read / decipher this kind of hash during the connection / authentication process.- if you install a SHA256 certificate on a client (strong authentication by certificate),
make the client (browser, webservice...) and the servers are compatible
even if the server keep using a SHA1/MD5 signed certificate. - if you install a SHA256 certificate on a server then all the clients connecting to it and the server must be SHA256-compatible.
Servers SHA256-compatible
- Apache server (tested with Apache 2.0.63 and OpenSSL 0.9.7m but for a complete implementation you'll need OpenSSL 0.9.8o+).
- Windows Server 2008+
- Windows Vista
- Windows 7
- Windows Server 2003 with patch 938397
- Windows Server 2003 or XP client with patch 968730
- Oracle WebLogic from the version 10.3.1, see bug8422724
- Oracle Wallet Manager 11.2.0.1+
- IBM HTTP Server with GSKit 7.0.4.14 or higher
- Websphere with GSKit 8 or higher
- Java servers: JDK 1.4.2+
- Citrix Netscaler 9.3+
- Citrix Access Gateway v5.0.4+
- Citric Secure Gateway 3.3+
- 4D server 14.01+
- Amazon Web Server (AWS)
- Barracuda Network Access Client 3.5+
- CrushFTP 7.1.0+
- F5 BIG-IP 10.1.0+
- WebSphere MQ 7.0.1.4+
- SonicOS (SonicWall) 5.9.0.0+
- Products based on OpenSSL 0.9.8o+
- Products based on Mozilla NSS 3.8+
- IBM z/OS v1r10+
- IBM Domino 9+ (bundled with HTTP 8.5+)
- IBM HTTP (bundled with Domino 9+)
- Cisco ASA 5500 8.2.3.9+ for AnyConnect VPN Sessions
- Cisco ASA 5500 8.4+ for other functionalities
- Load balancer Cisco ACE30 handles SHA-256 certificates from software version A4 (1.0)
(tested at OVH witha software version A5 (2.2)).
Servers not SHA256-compatible
- Citrix Secure Gateway 3.2 ou inférieur
- Citrix Access Gateway
- Citrix Access Essentials version 3
- Juniper SBR
- Citrix Receiver models
- Blackberry 2.2 / BlackBerry 1.0 Tech Preview
- Cisco ACE module software versions A2 and A3
- Windows Serveur 2003 on which the patch 938397 allowing SHA256 support has not been installed
See http://support.microsoft.com/kb/938397 - Windows 2000
Learn more
Last edited on 06/03/2016 08:34:29 --- [search]