OCSP Responder support for SHA2 hashes in CertID


Can we please add to Let's Encrypt OCSP Responder support for SHA2 hashes in CertID.

Currently any OCSP requests that use SHA2 hashes in CertID receive an "unauthorized" reply (e.g. use -sha384 parameter with openssl ocsp command).

The OCSP Responder currently seems to support only SHA1 hashes.

This is more of a compliance issue.
SHA1 collision resistance has not been considered to be strong enough for a number of years.
Because of this, SHA1 has been dropped as an approved algorithm by Government and Industry regulators.

With support for SHA1 only, some places won't be able to use Let's Encrypt to meet their compliance requirements.


Hi there,

Here’s our latest update in a thread that discussed this issue: Support mod_gnutls with Apache - #47 by aarongable


For posterity, here's the key info from the GitHub threads linked in that post:

RFC 5019 specifically standardizes a "lightweight" OCSP profile for "high-volume environments". As part of that profile, it states that only SHA1 should be supported, because the purpose of this hash is non-cryptographic and efficiency is important in high-volume environments. Let's Encrypt is, to the best of my knowledge, the highest-volume OCSP environment in the world, so we conform to this standard.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.