OpenSSL in FIPS mode - MD5 hash in replay cache

Greg Hudson ghudson at
Wed Dec 23 00:47:12 EST 2015

On 12/22/2015 06:30 PM, Tomas Kuthan wrote:
> Is there a reason not to use a new extension identifier 'SHA1:' as I
> proposed originally?

No, you've convinced me.

> I would have also preferred SHA-256 (+ it was pointed out to me in an
> internal discussion twice), but as you say, it is not currently
> available. New checksum type for SHA-256 would be warmly welcomed.

I will try to figure out what would be necessary to register checksum
type numbers for unkeyed SHA-256, SHA-384, and SHA-512.

More information about the krbdev mailing list