PR: 2136

Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at> Add options to output hash using older algorithm compatible with OpenSSL versions before 1.0.0
author: Dr. Stephen Henson <steve@openssl.org> 2010-01-12 17:29:34 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2010-01-12 17:29:34 +0000
commit: 0e0c6821fab18a7d180d3c8dfe18e34fdd2afc54 (patch)
tree: ee03d9c49d86abec367ce5f68242900a72d17168 /doc
parent: 423c66f10e3762643020601bf76cec3309f1474d (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index 09aaed421e..3002b08123 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -158,6 +158,16 @@ outputs the "hash" of the certificate issuer name.
 
 synonym for "-subject_hash" for backward compatibility reasons.
 
+=item B<-subject_hash_old>
+
+outputs the "hash" of the certificate subject name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
+=item B<-issuer_hash_old>
+
+outputs the "hash" of the certificate issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-subject>
 
 outputs the subject name.
@@ -837,4 +847,10 @@ L<x509v3_config(5)|x509v3_config(5)>
 
 Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
 
+The hash algorithm used in the B<-subject_hash> and B<-issuer_hash> options
+before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
+canonical version of the DN using SHA1. This means that any directories using
+the old form must have their links rebuilt using B<c_rehash> or similar. 
+
 =cut
author	Dr. Stephen Henson <steve@openssl.org>	2010-01-12 17:29:34 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2010-01-12 17:29:34 +0000
commit	0e0c6821fab18a7d180d3c8dfe18e34fdd2afc54 (patch)
tree	ee03d9c49d86abec367ce5f68242900a72d17168 /doc
parent	423c66f10e3762643020601bf76cec3309f1474d (diff)