Re: verifier mode operating without rsa-sha256 support; terminating
On 06/27/2013 12:49 AM, Murray S. Kucherawy wrote:
> On Thu, 27 Jun 2013, Rolf E. Sonneveld wrote:
>> Any ideas what I should check next?
>
> Regardless of what's installed there, it wasn't compiled against that
> version of openssl, but something older that doesn't have SHA256
> support. "opendkim -V" should confirm this.
Hmm:
opendkim -V
opendkim: OpenDKIM Filter v2.8.2
Compiled with OpenSSL 1.0.1 14 Mar 2012
SMFI_VERSION 0x1000001
Supported signing algorithms:
rsa-sha1
Supported canonicalization algorithms:
relaxed
simple
Active code options:
USE_DB
USE_JANSSON
USE_ODBX
_FFR_ATPS
_FFR_DKIM_REPUTATION
_FFR_IDENTITY_HEADER
_FFR_LDAP_CACHING
_FFR_REPUTATION
_FFR_STATS
libopendkim 2.8.2: atps dkim_reputation debug
and openssl output was:
# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 15 15:27:18 UTC 2013
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
-Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
>
> You could also set "AllowSHA1Only".
You mean: set it to 'yes'?
/rolf
Received on Thu Jun 27 2013 - 21:54:43 PST
This archive was generated by hypermail 2.3.0
: Thu Jun 27 2013 - 22:00:01 PST