You are on page 1of 5

SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...

English

Home › General SSL › SHA-256 Compatibility

SHA-256 Compatibility Announcements


Last Updated: Nov 04, 2014 03:01PM EST
Read about important
upcoming changes to certificate
issuance and what each
Certificates issued with the SHA-256 hashing algorithm have support on most change means for you:
modern operating systems. Some older systems only support hashing algorithms
such as MD5 or SHA1 and not the more secure SHA2. As a general rule, SHA-256 CVE-2014-0160 - Heartbleed

is supported on OS X 10.5+ and Windows XP SP3+. SHA-256 Rollout


Internal Server Name Phase
Out
There are some use cases where SHA-256 is not supported. Read below for
Maximum Certificate Validity
minimum version requirements as well as finer compatibility detail and exceptions.
Note: For GlobalSign's policy on SHA-256 issuance, please read the SHA-256 View recent system alerts and
subscribe to receive realtime
Rollout article. updates.
View Alerts
OS, Browser, and Server Support
Tools
Minimum OS Version Minimum OS SSL Configuration Test:
(SSL Certificates) Version Check your certificate
(Client installation for SSL issues and
Certificates) vulnerabilities.
Apple OS X 10.5+ 10.5+
Test Now
Apple iOS 3.0+ 3.0+
Android All Versions All Versions SSL CSR Tool
Requesting a certificate is
Blackberry 5.0+ 5.0+ made simple. Start by entering
your hostname below:
ChromeOS All Versions All Versions
[1] [2]
Windows XP SP3+ XP SP3+ Generate Request
Windows Phone 7+ 7+
Windows Server 2003 SP2 +MS13-095 2003 SP2
+MS13-095

Minimum Browser Version


Chrome 26+
Firefox 1.5+
Internet Explorer 6+
(With XP SP3+)
Konqueror 3.5.6+
Mozilla 1.4+

1 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...

Netscape 7.1+
Opera 9.0+
Safari 3+
(Ships with OS X 10.5)

Minimum Server Version


Apache Server Dependent on OpenSSL or
GnuTLS version.
[9]
IBM Domino Server 9.x with Fix Pack
[10]
IBM HTTP Server 8.5 (Bundled with Domino 9)
Microsoft Exchange Dependent on Windows Server
Server Version
Oracle Weblogic 10.3.1+

Apache 2.0 is bundled with mod_ssl by default. Versions prior to 2.0 require
manual installation of mod_ssl for any SSL support at all. Mod_gnutls is an
alternative to mod_ssl, leveraging GnuTLS instead of OpenSSL libraries.

Toolkits, Libraries, Frameworks, etc.


Minimum Version
Java Java 1.4.2+
Mozilla NSS 3.8+
[3]
OpenSSL 0.9.8o+
[12]
GNUTLS 2.0+
[13]
.NET FX 3.5 SP1+

Detailed Operating System Support


SSL SSL S/MIME Code
Certificates Certificates Signing
(Client Side) (Server Side)
Windows XP (SP1, SP2) ✗ N/A ✗ ✗
Windows XP SP3 ✓ N/A Partial* Partial**
Windows Vista ✓ N/A ✓ Partial**
[14]
Windows 7 ✓ N/A ✓ ✓
Windows 8 ✓ N/A ✓ ✓

Windows Server 2003 / ✗ ✗ ✗ ✗


2003 SP1
Windows Server 2003 ✓ ✓ ✓ ✗
SP2 + MS13-095
Windows Server 2008 ✓ ✓ ✓ Partial**
Windows Server 2008 ✓ ✓ ✓ ✓
R2 [14]
Windows Server 2012 & ✓ ✓ ✓ ✓
2012 R2

Windows Phone 5 ✗ N/A ✗ N/A


Windows Phone 6 ✗ N/A ✗ N/A
Windows Phone 7 ✓ N/A ✓ N/A
Windows Phone 8 ✓ N/A ✓ N/A

Notes on "Partial" compatibility:

2 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...

* S/MIME:
Outlook on Windows XP SP3 can utilize certificates signed with SHA-256 but
cannot validate an e-mail signed using the SHA-256 hashing algorithm.
By default Outlook signs with SHA1 even if a SHA2 cert is in use though this
behavior can be changed if desired.

** Code Signing:
Code can be signed with a SHA2 cert on any of the systems listed as having
partial or full compatibility without issue.
There is an incompatibility with SHA2 signed kernel drivers on the partially
compatible platforms. Kernel drivers signed with SHA2 certs will not install on
systems listed as having "Partial" compatibility.

E-Mail Clients
Verify Verify Send Send
SHA-1 SHA-256 SHA-1 SHA-256
Signed Signed Signed Signed
E-Mail E-Mail E-Mail E-Mail
[4]
Mozilla ✓ ✓ ✓ N/A
Thunderbird 24
on XP SP3
[8]
IBM Notes 8 ✓ ✗ ✓ ✗
[8]
IBM Notes 9 ✓ ✓ ✓ ✓
Outlook 2003 / ✓ ✗ ✓ ✗
[1]
2007 on XP SP3
[2]

Outlook 2007 on ✓ ✓ ✓ ✓
Windows Vista [1]
[2]

Set Outlook Hash Algorithm to SHA-1


Outlook 2003: Tools > Options > Settings > Security > Settings > Hash Algorithm >
SHA1
Outlook 2007, 2010, 2013: File > Options > Trust Center > Trust Center Settings >
E-Mail Security > Settings > Hash Algorithm > SHA1

Document Signing
Place SHA1 Place SHA2 Validate
Signature with Signature with SHA2
SHA-256 certificate SHA-256 certificate Signature

LibreOffice 4 [7] ✓ ✗ ✗
Microsoft Office ✓ ✗ ✗
2003, 2007[7]
Microsoft Office ✓ ✓ ✓
2010, 2013
Adobe Acrobat ✓ ✓ ✓
8.0+
Adobe Reader ✓ ✓ ✓
8.0+ See Note See Note

Note: Adobe Reader 8+ can place signatures with a Digital ID if the functionality
has been enabled via Adobe Acrobat Professional.

Adobe Acrobat & Adobe Reader are compatible with SHA-256 certs as of version
8.0, but still place SHA1 signatures by default. As of version 9.1, Acrobat & Reader
will prefer SHA-256 for the signature hash if available, otherwise it will fall back to
SHA1. SHA-2 signatures can be preferred in versions prior to 9.1 through edits to

3 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...

the registry.

Digital signatures placed with newer versions of Microsoft Office may not be
backwards compatible with older versions. Legacy compatibility can be specified
manually.

Office 2003 - 2010 work with SHA-2 certs, but place SHA1 signatures. Office 2013
uses SHA2 as the default signature hash when available. You can specify the
signature hash in Office 2010 & 2013 via the registry.

Windows Code Signing


Executables Kernel VBA VBA VBA
Drivers Macros: Macros: Macros:
Office Office Office
2003, 2007 2010 2013
Windows XP ✗ ✗ ✗ ✗ N/A
(SP1, SP2)
Windows XP ✓ ✗ ✗ ✓ N/A
SP3
Windows ✓ ✗ ✗ ✓ N/A
Vista [15]
[14]
Windows 7 ✓ ✓ ✗ ✓ ✓
Windows 8 ✓ ✓ ✗ ✓ ✓

Office 2010 on Windows 7 requires hotfix kb 2598139 to add SHA-256 support for
CodeSigning Certs.

Minimum Version Required


[16]
Visual Studio Tools for Office (VSTO) 10.0.50325

SafeNet iKey / eToken Compatibility


Works with SHA2 Place SHA1 Place SHA2
Certificate Signature Signature
[5]
iKey 4000 ✓ ✓ ✗
eToken ✓ ✓ ✓
5100 [6]

Mainframe
Minimum Version Required
[11]
IBM z/OS v1r10

Citrix Support
Minimum Version Required
Citrix Receiver Varies - See PDF

Services
Notes
Belgian Online Government No SHA2 Support.
Services Issue PersonalSign3 as SHA1.
FDA ESG Works with SHA2
FDA Encrypted E-Mail FDA S/MIME firewall cannot handle
SHA2.

4 of 5 06/11/2014 14:03
SHA-256 Compatibility https://support.globalsign.com/customer/portal/art...

Sources
[1] SHA2 and Windows.
[2] Common questions about SHA2 and Windows.
[3] OpenSSL Changelog
[4] Bug 222179 - User preferences should control ciphers used when sending encrypted S/MIME
messages
[5] iKey 4000 Specifications
[6] eToken 5100 Specifications
[7] Verified In-House
[8] IBM Notes SHA2 Support
[9] IBM Domino Planned SHA-2 Support
[10] IBM HTTP Server
[11] IBM z/OS
[12] GnuTLS
[13] .NET Security Blog
[14] Security Advisory 2949927 (SHA-2 Hash Support for Kernel Drivers)
[15] SHA-2 Signed Executables Windows Vista & Server 2008
[16] VSTO Runtime Update to Address “Unknown Publisher” for SHA256 Certificates

I found this article helpful


I did not find this article helpful

Return to GlobalSign Website © 2014 GlobalSign. All Rights Reserved.

5 of 5 06/11/2014 14:03