Professional Documents
Culture Documents
English
1 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...
Netscape 7.1+
Opera 9.0+
Safari 3+
(Ships with OS X 10.5)
Apache 2.0 is bundled with mod_ssl by default. Versions prior to 2.0 require
manual installation of mod_ssl for any SSL support at all. Mod_gnutls is an
alternative to mod_ssl, leveraging GnuTLS instead of OpenSSL libraries.
2 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...
* S/MIME:
Outlook on Windows XP SP3 can utilize certificates signed with SHA-256 but
cannot validate an e-mail signed using the SHA-256 hashing algorithm.
By default Outlook signs with SHA1 even if a SHA2 cert is in use though this
behavior can be changed if desired.
** Code Signing:
Code can be signed with a SHA2 cert on any of the systems listed as having
partial or full compatibility without issue.
There is an incompatibility with SHA2 signed kernel drivers on the partially
compatible platforms. Kernel drivers signed with SHA2 certs will not install on
systems listed as having "Partial" compatibility.
E-Mail Clients
Verify Verify Send Send
SHA-1 SHA-256 SHA-1 SHA-256
Signed Signed Signed Signed
E-Mail E-Mail E-Mail E-Mail
[4]
Mozilla ✓ ✓ ✓ N/A
Thunderbird 24
on XP SP3
[8]
IBM Notes 8 ✓ ✗ ✓ ✗
[8]
IBM Notes 9 ✓ ✓ ✓ ✓
Outlook 2003 / ✓ ✗ ✓ ✗
[1]
2007 on XP SP3
[2]
Outlook 2007 on ✓ ✓ ✓ ✓
Windows Vista [1]
[2]
Document Signing
Place SHA1 Place SHA2 Validate
Signature with Signature with SHA2
SHA-256 certificate SHA-256 certificate Signature
LibreOffice 4 [7] ✓ ✗ ✗
Microsoft Office ✓ ✗ ✗
2003, 2007[7]
Microsoft Office ✓ ✓ ✓
2010, 2013
Adobe Acrobat ✓ ✓ ✓
8.0+
Adobe Reader ✓ ✓ ✓
8.0+ See Note See Note
Note: Adobe Reader 8+ can place signatures with a Digital ID if the functionality
has been enabled via Adobe Acrobat Professional.
Adobe Acrobat & Adobe Reader are compatible with SHA-256 certs as of version
8.0, but still place SHA1 signatures by default. As of version 9.1, Acrobat & Reader
will prefer SHA-256 for the signature hash if available, otherwise it will fall back to
SHA1. SHA-2 signatures can be preferred in versions prior to 9.1 through edits to
3 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...
the registry.
Digital signatures placed with newer versions of Microsoft Office may not be
backwards compatible with older versions. Legacy compatibility can be specified
manually.
Office 2003 - 2010 work with SHA-2 certs, but place SHA1 signatures. Office 2013
uses SHA2 as the default signature hash when available. You can specify the
signature hash in Office 2010 & 2013 via the registry.
Office 2010 on Windows 7 requires hotfix kb 2598139 to add SHA-256 support for
CodeSigning Certs.
Mainframe
Minimum Version Required
[11]
IBM z/OS v1r10
Citrix Support
Minimum Version Required
Citrix Receiver Varies - See PDF
Services
Notes
Belgian Online Government No SHA2 Support.
Services Issue PersonalSign3 as SHA1.
FDA ESG Works with SHA2
FDA Encrypted E-Mail FDA S/MIME firewall cannot handle
SHA2.
4 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...
Sources
[1] SHA2 and Windows.
[2] Common questions about SHA2 and Windows.
[3] OpenSSL Changelog
[4] Bug 222179 - User preferences should control ciphers used when sending encrypted S/MIME
messages
[5] iKey 4000 Specifications
[6] eToken 5100 Specifications
[7] Verified In-House
[8] IBM Notes SHA2 Support
[9] IBM Domino Planned SHA-2 Support
[10] IBM HTTP Server
[11] IBM z/OS
[12] GnuTLS
[13] .NET Security Blog
[14] Security Advisory 2949927 (SHA-2 Hash Support for Kernel Drivers)
[15] SHA-2 Signed Executables Windows Vista & Server 2008
[16] VSTO Runtime Update to Address “Unknown Publisher” for SHA256 Certificates
5 of 5 06/11/2014 14:03