search cancel

XCOM support of SHA-2 certificates & CAPKI/OpenSSL versions

book

Article ID: 216003

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - Windows XCOM Data Transport - z/OS

Issue/Introduction

What XCOM for Linux and Windows versions support SHA-2 certificates?

Environment

Release : 11.6

Component :XCOM Data Transport for Linux PC

XCOM Data Transport for Windows

Resolution

SHA-2 was first drafted in 2001 and then published in August 2002 (FIPS 180-2): https://csrc.nist.gov/publications/detail/fips/180/2/archive/2002-08-01
The support for SHA-2 certificates is linked to the version of OpenSSl used in the CAPKI software that is installed with XCOM for Linux.

Linux:
11.6 SP00 32-bit (which reached End Of Service on February 28, 2018) and 11.6 SP00 64-bit use CAPKI 4.3.0
11.6 SP01 64-bit uses CAPKI 5.x

CAPKI 4.3.0 uses OpenSSL 0.9.8h (+ some vulnerability fixes) which does not have SHA-2 certificate support by default. That is because although SHA-2 was added to 0.9.8 it was not enabled by default until 0.9.8o.
CAPKI 5.x uses OpenSSL 1.0.2g which has SHA-2 certificate support by default.

Therefore 11.6 SP01 is the earliest release that supports SHA-2 certificates.

Windows:
11.6 SP01 also uses CAPKI 5.x, but a slightly earlier version (5.0.2) which uses OpenSSL 1.0.2d
Again 11.6 SP01 is the earliest release that supports SHA-2 certificates.
NOTE: Up to and including r11.6 SP02, XCOM for Windows also used CAPKI. However SP03 does not use CAPKI and has its own OpenSSL library files libeay32.dll and ssleay32.dll. Patch LU03588 also upgrades OpenSSL from 1.0.2d to 1.0.2j. However in patch LU06617, which upgrades OpenSSL to 1.0.2ze, SP03 reverted to using CAPKI.

Additional Information

1. CAPKI 5.x also provides support for TLSv1.1 & TLSv1.2.
The TLSv1.2 specification (RFC 5246) includes the use of SHA-256 cipher suites for pseudorandom functions (PRFs) and support for SHA-2 cipher suites in general: https://datatracker.ietf.org/doc/html/rfc5246
Related XCOM for Linux and Windows techdocs sections here:
XCOM Data Transport for UNIX/Linux 11.6.1 > Using > Generating TLS/SSL Certificates > Supported Cipher Suites
XCOM Data Transport for Windows 11.6 Service Packs > Administrating > Generate TLS/SSL Certificates > Cipher Suites for r11.6 SP01/ SP02/SP03

2. Related article for XCOM for z/OS:
Does CA XCOM for z/OS support SHA-2 certificates?