Skip to content

SHA-2 Compliance

When a certificate authority signs a certificate, it uses one of several possible hash algorithms. Historically, the most popular algorithms were MD5 (now retired due to security issues) and the SHA-1 family. SHA-1 certificates are being phased out due to perceived weaknesses — as of February 2017, a practical attack for generating collisions was demonstrated by Google researchers. These days, the preferred hash algorithm family is SHA-2.

The certificate authorities (CAs), which issue host and user certificates used widely in the OSG, defaulted to SHA-2-based certificates on 1 October 2013; all sites will need to make sure that their software supports certificates using the SHA-2 algorithms. All supported OSG releases support SHA-2.

The table below denotes indicates the minimum releases necessary to support SHA-2 certificates.

Component Version In Release Notes
BeStMan 2 bestman2-2.3.0-9.osg 3.1.13 SHA-2 support; also see jGlobus, below
dCache SRM client dcache-srmclient-2.2.11.1-2.osg 3.1.22 Major update includes SHA-2 support
Globus GRAM globus-gram-job-manager-13.45-1.2.osg, globus-gram-job-manager-condor-1.0-13.1.osg, globus-gram-job-manager-pbs-1.6-1.1.osg 3.1.9 Critical bug fixes (not SHA-2 specific)
GUMS gums-1.3.18.009-15.2.osg 3.1.13 Switched to jGlobus 2 with SHA-2 support; also see jGlobus, below
jGlobus (for BeStMan 2) jglobus-2.0.5-3.osg 3.1.18 Fixed CRL refresh bug (not SHA-2 specific)
VOMS voms-2.0.8-1.5.osg 3.1.17 SHA-2 fix for voms-proxy-init

If a component does not appear in the above table, it already has SHA-2 support.