SHA-256 Compatibility
13 de dez. de 2021
SHA-256 Compatibility
Introduction
SHA-2 is a set of cryptographic hash functions which includes SHA-224, SHA-256, and SHA-512. The 256 in SHA-256 represents the bit size of the hash output or digest when the hash function is performed. Not all software supports every digest size within the SHA-2 family. This article focuses specifically on SHA-256 and its compatibility with various software platforms and operating systems. As a general rule, SHA-256 is supported on OS X 10.5+ and Windows XP SP3+.Read our Hash Functions article for a better understanding of how they work and how they are used to validate certificates and documents.
For GlobalSign’s policy on SHA-256 issuance as well as important dates set by Microsoft, Google, and Mozilla, please read the SHA-256 Rollout article.
To purchase a trusted SHA-256 certificate, contact a GlobalSign representative.
Index:
- OS, Browser, and Server Support
- Firewall Support
- Toolkits, Libraries, Frameworks, etc.
- Database Support
- Detailed Operating System Support
- E-Mail Clients
- Document Signing
- Windows Code Signing
- SafeNet iKey / eToken Compatibility
- Mainframe
- Citrix Support
- Services
OS, Browser, and Server Support
|
(SSL Certificates) |
(Client Certificates) |
|
|---|---|---|
| Apple OS X | 10.5+ | 10.5+ |
| Apple iOS | 3.0+ (Required in iOS 9+) [30] |
3.0+ |
| Android* | 1.0+ (1.6 / 2.2) | 1.0+ |
| Blackberry | 5.0+ | 5.0+ |
| ChromeOS | All Versions | All Versions |
| Windows [1] [2] | XP SP3+ | XP SP3+ |
| Windows Phone | 7+ | 7+ |
| Windows Server | 2003 SP2 +MS13-095 | 2003 SP2 +MS13-095 |
|
|
||
| Chrome** [7] | 1.0+ (38+) | |
| Firefox [7] | 1.0+ | |
| Internet Explorer [7] | 6+ (On a SHA-2 Compatible OS) |
|
| Konqueror | 3.5.6+ | |
| Mozilla [7] | 1.4+ | |
| Netscape [7] | 7.1+ | |
| Opera [7] | 6.0+ | |
| Safari | 3+ (Ships with OS X 10.5) |
|
|
|
||
| Active Directory Federation Server (AD FS) [28] | 2.0+ (Must use non-CNG CSP) |
|
| Apache HTTP Server*** | Dependent on OpenSSL or GnuTLS version. |
|
| Apache Tomcat | Dependent on Java version | |
| IBM Domino Server [9] | 9.x with Fix Pack | |
| IBM HTTP Server [10] | Any version with GSKit 7.0.4.14 | |
| IBM WebSphere Server [26] | 7.0.0.25 / 8.0.04 with PM62842 | |
| Microsoft Exchange Server | Dependent on Windows Server version | |
| NGINX | Dependent on OpenSSL version | |
| Oracle Wallet Manager | 11.2.0.1+ | |
| Oracle Weblogic**** [27] | 10.3.3+ |
* Android has the technical capability of handling SHA-256 certificates right from version 1.0. In practice, some users may encounter issues with validating certificates that use cross certificates (these help chain certificates to alternate roots). 1.6 improved this issue for some users, with the issue being resolved as of version 2.2.
** Chrome is capable of supporting SHA-2 certificates as of version 1.0, however through version 37 it is dependent on the operating system. For instance, on Windows Server 2003 without MS13-095 or Windows XP SP2 Chrome will not connect to pages using SHA-2 certs. Applying MS13-095 to Server 2003, or SP3 to Windows XP will allow Chrome to support SHA-2 on these legacy systems.
Chrome 38+ can validate SHA-2 certificates independently, even on systems like Server 2003 without MS13-095 applied.
*** Apache 2.0 is bundled with mod_ssl by default. Versions prior to 2.0 require manual installation of mod_ssl for any SSL support at all. Mod_gnutls is an alternative to mod_ssl, leveraging GnuTLS instead of OpenSSL libraries.
**** Oracle Weblogic Server 10.3.3 and above have JSSE available to support SSL/TLS certificates & connections. Older versions leverage Certicom extensions, which is now considered deprecated.
10.3.3 is the first version to officially support JSSE, it can be enabled by logging in to the admin console and clicking Environment > Servers > ManagedServerName > Configuration > SSL > Advanced > Use JSSE SSL. Click Save; restart your server. Versions prior to 10.3.3 can manually enable JSSE, but it is not officially supported by Oracle.
Firewall Support
|
|
|
|---|---|
| Cisco ASA 5500 [29] | 8.2 (3.9) |
Toolkits, Libraries, Frameworks, etc.
|
|
|
|---|---|
| Java [19] | Java 1.4.2+ |
| Mozilla NSS [18] | 3.8+ |
| OpenSSL* [3] | 0.9.8 / 0.9.8o+ |
| GNUTLS [12] | 1.7.4+ |
| .NET FX[13] | 3.5 SP1+ |
Support for SHA-2 was introduced in OpenSSL 0.9.8, but is not enabled by default with SSL_library_init(). In 0.9.8, SHA-2 hash functions must be called specifically or by using OpenSSL_add_all_algorithms() which may not be desired. OpenSSL 0.9.8o enables the SHA-2 hash algorithms in the default configuration.
Database Support
|
|
|
|---|---|
| MYSQL[23] | 5.5.5+ |
| PostgreSQL [24] [25] | 8.1 / 8.2* |
* The pgcrypto module for PostgreSQL introduced support for the SHA-2 family of hash algorithms with the 8.1 release but only for the standalone module. 8.2 incorporated the SHA-2 functions of the pgcrypto module into PostgreSQL core allowing these hashes to be available to PostgreSQL even if the installed version of OpenSSL does not support it.
Detailed Operating System Support
|
(Client Side) |
(Server Side) |
|
|
|
|---|---|---|---|---|
| Windows XP (SP1, SP2) | ✗ | N/A | ✗ | ✗ |
| Windows XP SP3 | ✓ | N/A | Partial* | Partial** |
| Windows Vista | ✓ | N/A | ✓ | Partial** |
| Windows 7 [20] | ✓ | N/A | ✓ | ✓ |
| Windows 8 | ✓ | N/A | ✓ | ✓ |
| Windows 10 | ✓ | N/A | ✓ | ✓ |
| Windows Server 2003 / 2003 SP1 | ✗ | ✗ | ✗ | ✗ |
| Windows Server 2003 SP2 + MS13-095 | ✓ | ✓ | ✓ | ✗ |
| Windows Server 2008 | ✓ | ✓ | ✓ | Partial** |
| Windows Server 2008 R2 [20] | ✓ | ✓ | ✓ | ✓ |
| Windows Server 2012 & 2012 R2 | ✓ | ✓ | ✓ | ✓ |
| Windows Mobile 5 | ✗ | N/A | ✗ | N/A |
| Windows Mobile 6 | ✗ | N/A | ✗ | N/A |
| Windows Phone 7 | ✓ | N/A | ✓ | N/A |
| Windows Phone 8 | ✓ | N/A | ✓ | N/A |
Notes on "Partial" compatibility:
* S/MIME:
- Outlook on Windows XP SP3 can utilize certificates signed with SHA-256 but cannot validate an e-mail signed using the SHA-256 hashing algorithm.
- By default Outlook signs with SHA1 even if a SHA2 cert is in use though this behavior can be changed if desired.
** Code Signing:
- Code can be signed with a SHA2 cert on any of the systems listed as having partial or full compatibility without issue.
- There is an incompatibility with SHA2 signed kernel drivers on the partially compatible platforms. Kernel drivers signed with SHA2 certs will not install on systems listed as having "Partial" compatibility.
E-Mail Clients
The signature hash algorithm on the certificate itself is independent of the signature hash placed on an e-mail. For example, Outlook 2003 on XP SP3 can utilize a certificate signed with SHA-256 to sign an encrypt e-mails. But the signature on the e-mail will be limited to SHA1.
|
|
|
|
|
|
|---|---|---|---|---|
| Mozilla Thunderbird 1 - 4 [21] | ✓ | ✗ | ✓ | ✗ |
| Mozilla Thunderbird 5 - 37 [4] [21] | ✓ | ✓ | ✓ | ✗ |
| Mozilla Thunderbird 38+ [22] | ✓ | ✓ | ? | ✓ |
| IBM Notes 8 [8] | ✓ | ✗ | ✓ | ✗ |
| IBM Notes 9 [8] | ✓ | ✓ | ✓ | ✓ |
| Microsoft Entourage 2004 [17] | ✓ | ✗ | ✓ | ✗ |
| Microsoft Entourage 2008 [17] | ✓ | ✓ | ✓ | ✓ |
| Microsoft Outlook 2003 & 2007 on XP SP3 [1] [2] | ✓ | ✗ | ✓ | ✗ |
| Microsoft Outlook 2007 on Windows Vista [1] [2] | ✓ | ✓ | ✓ | ✓ |
| Outlook for Mac 2011 [17] | ✓ | ✓ | ✓ | ✓ |
Set Outlook Hash Algorithm to SHA-1
Outlook 2003: Tools > Options > Settings > Security > Settings > Hash Algorithm > SHA1
Outlook 2007, 2010, 2013: File > Options > Trust Center > Trust Center Settings > E-Mail Security > Settings > Hash Algorithm > SHA1
Document Signing
|
|
|
|
|
|---|---|---|---|
| LibreOffice 4[7] | ✓ | ✗ | ✗ |
| Microsoft Office 2003, 2007[7] | ✓ | ✗ | ✗ |
| Microsoft Office 2010, 2013 | ✓ | ✓ | ✓ |
| Adobe Acrobat 8.0+ | ✓ | ✓ | ✓ |
| Adobe Reader 8.0+ | ✓ See Note |
✓ See Note |
✓ |
Note: Adobe Reader 8+ can place signatures with a Digital ID if the functionality has been enabled via Adobe Acrobat Professional.
Adobe Acrobat & Adobe Reader are compatible with SHA-256 certs as of version 8.0, but still place SHA1 signatures by default. As of version 9.1, Acrobat & Reader will prefer SHA-256 for the signature hash if available, otherwise it will fall back to SHA1. SHA-2 signatures can be preferred in versions prior to 9.1 through edits to the registry.
Digital signatures placed with newer versions of Microsoft Office may not be backwards compatible with older versions. Legacy compatibility can be specified manually.
Office 2003 - 2010 work with SHA-2 certs, but place SHA1 signatures. Office 2013 uses SHA2 as the default signature hash when available. You can specify the signature hash in Office 2010 & 2013 via the registry.
Windows Code Signing
|
|
|
Office 2003, 2007 |
Office 2010 |
Office 2013 |
|
|---|---|---|---|---|---|
| Windows XP (SP1, SP2) | ✗ | ✗ | ✗ | ✗ | N/A |
| Windows XP SP3 | ✓ | ✗ | ✗ | ✓ | N/A |
| Windows Vista [15] | ✓ | ✗ | ✗ | ✓ | N/A |
| Windows 7 [20] | ✓ | ✓ | ✗ | ✓ | ✓ |
| Windows 8 | ✓ | ✓ | ✗ | ✓ | ✓ |
| Windows 10 | ✓ | ✓ | ✗ | ✓ | ✓ |
Office 2010 on Windows 7 requires hotfix kb 2598139 to add SHA-256 support for Code Signing Certs.
Windows 7 and Windows Server 2008 R2 require kb 3033929 to validate SHA-2 signed kernel drivers. This update is not available for XP, Vista, 2003, or 2008.
For a more detailed look at hash algorithm support on both certificates & file digests in Windows, read the Windows Code Signing Hash Algorithm Support article.
| Minimum Version | |
|---|---|
| Visual Studio Tools for Office (VSTO) [16] | 10.0.50325 |
SafeNet iKey / eToken Compatibility