SHA-256 Compatibility

Introduction

SHA-2 is a set of cryptographic hash functions which includes SHA-224, SHA-256, and SHA-512. The 256 in SHA-256 represents the bit size of the hash output or digest when the hash function is performed. Not all software supports every digest size within the SHA-2 family. This article focuses specifically on SHA-256 and its compatibility with various software platforms and operating systems. As a general rule, SHA-256 is supported on OS X 10.5+ and Windows XP SP3+.

Read our Hash Functions article for a better understanding of how they work and how they are used to validate certificates and documents.

For GlobalSign’s policy on SHA-256 issuance as well as important dates set by Microsoft, Google, and Mozilla, please read the SHA-256 Rollout article.


To purchase a trusted SHA-256 certificate, contact a GlobalSign representative. 
 

Index:

  1. OS,   Browser, and Server Support
  2. Firewall Support
  3. Toolkits, Libraries, Frameworks, etc.
  4. Database Support
  5. Detailed Operating System Support
  6. E-Mail Clients
  7. Document Signing
  8. Windows Code Signing
  9. SafeNet iKey / eToken Compatibility
  10. Mainframe
  11. Citrix Support
  12. Services



   OS, Browser, and Server Support  

 
Minimum OS Version
(SSL Certificates)
Minimum OS Version
(Client Certificates)
Apple OS X 10.5+ 10.5+
Apple iOS 3.0+
(Required in iOS 9+) [30]
3.0+
Android* 1.0+ (1.6 / 2.2) 1.0+
Blackberry 5.0+ 5.0+
ChromeOS All Versions All Versions
Windows [1] [2] XP SP3+ XP SP3+
Windows Phone 7+ 7+
Windows Server 2003 SP2 +MS13-095 2003 SP2 +MS13-095
     
 
Minimum Browser Version
 
Chrome** [7] 1.0+ (38+)  
Firefox [7] 1.0+  
Internet Explorer [7] 6+
(On a SHA-2 Compatible OS)
 
Konqueror 3.5.6+  
Mozilla [7] 1.4+  
Netscape [7] 7.1+  
Opera [7] 6.0+  
Safari 3+
(Ships with OS X 10.5)
 
     
 
Minimum Server Version
 
Active Directory Federation Server (AD FS) [28] 2.0+
(Must use non-CNG CSP)
 
Apache HTTP Server*** Dependent on OpenSSL or
GnuTLS version.
 
Apache Tomcat Dependent on Java version  
IBM Domino Server [9] 9.x with Fix Pack  
IBM HTTP Server [10] Any version with GSKit 7.0.4.14  
IBM WebSphere Server [26] 7.0.0.25 / 8.0.04 with PM62842  
Microsoft Exchange Server Dependent on Windows Server version  
NGINX Dependent on OpenSSL version  
Oracle Wallet Manager 11.2.0.1+  
Oracle Weblogic**** [27] 10.3.3+  


* Android has the technical capability of handling SHA-256 certificates right from version 1.0. In practice, some users may encounter issues with validating certificates that use cross certificates (these help chain certificates to alternate roots). 1.6 improved this issue for some users, with the issue being resolved as of version 2.2.

** Chrome is capable of supporting SHA-2 certificates as of version 1.0, however through version 37 it is dependent on the operating system. For instance, on Windows Server 2003 without MS13-095 or Windows XP SP2 Chrome will not connect to pages using SHA-2 certs. Applying MS13-095 to Server 2003, or SP3 to Windows XP will allow Chrome to support SHA-2 on these legacy systems.

Chrome 38+ can validate SHA-2 certificates independently, even on systems like Server 2003 without MS13-095 applied.

*** Apache 2.0 is bundled with mod_ssl by default. Versions prior to 2.0 require manual installation of mod_ssl for any SSL support at all.  Mod_gnutls is an alternative to mod_ssl, leveraging GnuTLS instead of OpenSSL libraries.

**** Oracle Weblogic Server 10.3.3 and above have JSSE available to support SSL/TLS certificates & connections. Older versions leverage Certicom extensions, which is now considered deprecated.

10.3.3 is the first version to officially support JSSE, it can be enabled by logging in to the admin console and clicking Environment Servers ManagedServerName > Configuration SSL Advanced Use JSSE SSL. Click Save; restart your server. Versions prior to 10.3.3 can manually enable JSSE, but it is not officially supported by Oracle. 


Firewall Support

 
Minimum Version
Cisco ASA 5500 [29] 8.2 (3.9)



  Toolkits, Libraries, Frameworks, etc.  
 

 
Minimum Version
Java [19] Java 1.4.2+
Mozilla NSS [18] 3.8+
OpenSSL* [3] 0.9.8 / 0.9.8o+
GNUTLS [12] 1.7.4+
.NET FX[13] 3.5 SP1+



Support for SHA-2 was introduced in OpenSSL 0.9.8, but is not enabled by default with SSL_library_init(). In 0.9.8, SHA-2 hash functions must be called specifically or by using OpenSSL_add_all_algorithms() which may not be desired. OpenSSL 0.9.8o enables the SHA-2 hash algorithms in the default configuration.

  Database Support  
 

 
Minimum Version
MYSQL[23] 5.5.5+
PostgreSQL [24] [25] 8.1 / 8.2*



  * The pgcrypto module for PostgreSQL introduced support for the SHA-2 family of hash algorithms with the 8.1 release but only for the standalone module. 8.2 incorporated the SHA-2 functions of the pgcrypto module into PostgreSQL core allowing these hashes to be available to PostgreSQL even if the installed version of OpenSSL does not support it.

  Detailed Operating System Support  
 

 
SSL Certificates
(Client Side)
SSL Certificates
(Server Side)
S/MIME
Code Signing
Windows XP (SP1, SP2) N/A
Windows XP SP3 N/A Partial* Partial**
Windows Vista N/A Partial**
Windows 7 [20] N/A
Windows 8 N/A
Windows 10 N/A
         
Windows Server 2003 / 2003 SP1
Windows Server 2003 SP2 + MS13-095
Windows Server 2008 Partial**
Windows Server 2008 R2 [20]
Windows Server 2012 & 2012 R2
         
Windows Mobile 5 N/A N/A
Windows Mobile 6 N/A N/A
Windows Phone 7 N/A N/A
Windows Phone 8 N/A N/A

  

Notes on "Partial" compatibility:
* S/MIME:

  • Outlook on Windows XP SP3 can utilize certificates signed with SHA-256 but cannot validate an e-mail signed using the SHA-256 hashing algorithm.
  • By default Outlook signs with SHA1 even if a SHA2 cert is in use though this behavior can be changed if desired.


** Code Signing:

  • Code can be signed with a SHA2 cert on any of the systems listed as having partial or full compatibility without issue.
  • There is an incompatibility with SHA2 signed kernel drivers on the partially compatible platforms. Kernel drivers signed with SHA2 certs will not install on systems listed as having "Partial" compatibility.


E-Mail Clients

The signature hash algorithm on the certificate itself is independent of the signature hash placed on an e-mail. For example, Outlook 2003 on XP SP3 can utilize a certificate signed with SHA-256 to sign an encrypt e-mails. But the signature on the e-mail will be limited to SHA1.
 

 
Verify SHA-1 Signed E-Mail
Verify SHA-256 Signed E-Mail
Send SHA-1 Signed E-Mail
Send SHA-256 Signed E-Mail
Mozilla Thunderbird 1 - 4 [21]
Mozilla Thunderbird 5 - 37 [4] [21]
Mozilla Thunderbird 38+ [22] ?
IBM Notes 8 [8]
IBM Notes 9 [8]
Microsoft Entourage 2004 [17]
Microsoft Entourage 2008 [17]
Microsoft Outlook 2003 & 2007 on XP SP3 [1] [2]
Microsoft Outlook 2007 on Windows Vista [1] [2]
Outlook for Mac 2011 [17]

 

Set Outlook Hash Algorithm to SHA-1

Outlook 2003: Tools > Options > Settings > Security > Settings > Hash Algorithm > SHA1

Outlook 2007, 2010, 2013: File > Options > Trust Center > Trust Center Settings > E-Mail Security > Settings > Hash Algorithm > SHA1

Document Signing  
 

 
Place SHA1 Signature with SHA-256 certificate
Place SHA2 Signature with SHA-256 certificate
Validate SHA2 Signature
LibreOffice 4[7]
Microsoft Office 2003, 2007[7]
Microsoft Office 2010, 2013
Adobe Acrobat 8.0+
Adobe Reader 8.0+
See Note

See Note

  
Note: Adobe Reader 8+ can place signatures with a Digital ID if the functionality has been enabled via Adobe Acrobat Professional.

Adobe Acrobat & Adobe Reader are compatible with SHA-256 certs as of version 8.0, but still place SHA1 signatures by default. As of version 9.1, Acrobat & Reader will prefer SHA-256 for the signature hash if available, otherwise it will fall back to SHA1. SHA-2 signatures can be preferred in versions prior to 9.1 through edits to the registry.

Digital signatures placed with newer versions of Microsoft Office may not be backwards compatible with older versions. Legacy compatibility can be specified manually.

Office 2003 - 2010 work with SHA-2 certs, but place SHA1 signatures. Office 2013 uses SHA2 as the default signature hash when available. You can specify the signature hash in Office 2010 & 2013 via the registry.

 

Windows Code Signing  
 

 
Executables
Kernel Drivers
VBA Macros:
Office 2003, 2007
VBA Macros:
Office 2010
VBA Macros:
Office 2013
Windows XP (SP1, SP2) N/A
Windows XP SP3 N/A
Windows Vista [15] N/A
Windows 7 [20]
Windows 8
Windows 10

 
Office 2010 on Windows 7 requires hotfix kb 2598139 to add SHA-256 support for Code Signing Certs.

Windows 7 and Windows Server 2008 R2 require kb 3033929 to validate SHA-2 signed kernel drivers. This update is not available for XP, Vista, 2003, or 2008.

For a more detailed look at hash algorithm support on both certificates & file digests in Windows, read the Windows Code Signing Hash Algorithm Support article.

 

  Minimum Version
Visual Studio Tools for Office (VSTO) [16] 10.0.50325

 

  SafeNet iKey / eToken Compatibility
 

 
Works with SHA2 Certificate
Place SHA1 Signature
Place SHA2 Signature
iKey 4000 [5]
eToken 5100 [6]

 
Mainframe 

 
Minimum Version 
IBM z/OS [11] v1r10

 
Citrix Support

 
Minimum Version
Citrix Receiver Varies - See PDF

 


Sources

[1] SHA2 and Windows.
[2] Common questions about SHA2 and Windows.
[3] OpenSSL 0.9.8 Branch Release notes
[4] Bug 222179 - User preferences should control ciphers used when sending encrypted S/MIME messages
[5] iKey 4000 Specifications
[6] eToken 5100 Specifications
[7] Verified In-House
[8] IBM Notes SHA2 Support
[9] IBM Domino Planned SHA-2 Support
[10] IBM HTTP Server
[11] IBM z/OS
[12] GnuTLS
[13] .NET Security Blog
[14] Security Advisory 2949927 (SHA-2 Hash Support for Kernel Drivers - Currently Retracted)
[15] SHA-2 Signed Executables Windows Vista & Server 2008
[16] VSTO Runtime Update to Address “Unknown Publisher” for SHA256 Certificates
[17] Digital Certificate Requirements (Technet)
[18] Mozilla NSS 3.8 Release Notes
[19] Java 1.4.2 Release Notes
[20] Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2
[21] Add recognition of SHA-2 hashes when verifying S/MIME messages
[22] Thunderbird 38 Release Notes
[23] MYSQL 5.5 Release Notes
[24] PostgreSQL 8.1 Release Notes
[25] PostgreSQL 8.2 Release Notes
[26] PM62842: Web Services Security Runtime Update to Support SHA-2 Signature Algorithms
[27] Oracle Weblogic - Configuring SSL
[28] Certificate Requirements for Federation Servers

[29] Release Notes for the Cisco ASA 5500
[30] App Transport Security Technote

 

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Please click the button below to log in or sign up.

Log In - Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.