When a certificate authority signs a certificate, it uses one of several possible hash algorithms. Historically, the most popular algorithms were MD5 (now retired due to security issues) and the SHA-1 family. SHA-1 certificates are being phased out due to perceived weaknesses — as of February 2017, a practical attack for generating collisions was demonstrated by Google researchers. These days, the preferred hash algorithm family is SHA-2.
The certificate authorities (CAs), which issue host and user certificates used widely in the OSG, defaulted to SHA-2-based certificates on 1 October 2013; all sites will need to make sure that their software supports certificates using the SHA-2 algorithms. All supported OSG releases support SHA-2.
The table below denotes indicates the minimum releases necessary to support SHA-2 certificates.
|BeStMan 2||bestman2-2.3.0-9.osg||3.1.13||SHA-2 support; also see jGlobus, below|
|dCache SRM client||dcache-srmclient-188.8.131.52-2.osg||3.1.22||Major update includes SHA-2 support|
|Globus GRAM||globus-gram-job-manager-13.45-1.2.osg, globus-gram-job-manager-condor-1.0-13.1.osg, globus-gram-job-manager-pbs-1.6-1.1.osg||3.1.9||Critical bug fixes (not SHA-2 specific)|
|GUMS||gums-1.3.18.009-15.2.osg||3.1.13||Switched to jGlobus 2 with SHA-2 support; also see jGlobus, below|
|jGlobus (for BeStMan 2)||jglobus-2.0.5-3.osg||3.1.18||Fixed CRL refresh bug (not SHA-2 specific)|
|VOMS||voms-2.0.8-1.5.osg||3.1.17||SHA-2 fix for voms-proxy-init|
If a component does not appear in the above table, it already has SHA-2 support.