SHA2 COMPATIBILITY

 

Certificates issued with the SHA256 hashing algorithm have support on most modern operating systems. Some older systems only support hashing algorithms such as MD5 or SHA1 and not the more secure SHA2. As a general rule, SHA256 is supported on OS X 10.5+ and Windows XP SP3+.

There are some use cases where SHA256 is not supported. Read below for minimum version requirements as well as finer compatibility detail and exceptions.

OS, BROWSER AND SERVER SUPPORT
MINIMUM OS VERSION (SSL)
MINIMUM OS VERSION (CLIENT)
Apple OS X 10.5+ 10.5+
Apple iOS 3.0+ 3.0+
Android 2.3+ 2.3+
Blackberry 5.0+ 5.0+
ChromeOS ? ?
Windows [1] [2] XP SP3+ XP SP3+ (Partial)
Windows Phone 7+ 7+
Windows Server 2003 SP2 +Hotfixes (Partial) 2003 SP2 +Hotfixes (Partial)
MINIMUM BROWSER VERSION
Chrome 26+
Firefox 1.5+
Internet Explorer 6+
(With XP SP3+)
Konqueror 3.5.6+
Mozilla 1.4+
Netscape 7.1+
Opera 9.0+
Safari 3+
(Ships with OS X 10.5)
MINIMUM SERVER VERSION 
Apache Server 2.0.63+ w/ OpenSSL 0.9.8o+
Citrix Receiver Varies – See PDF (FIPS 140 & SHA2 Line)
IBM Domino Server [9] SHA2 Not Supported
IBM HTTP Server [10] 8.5 (Bundled with Domino 9)
Java based products Java 1.4.2+
Mozilla NSS Based Products 3.8+
OpenSSL based products [3] OpenSSL 0.9.8o+
Oracle Weblogic 10.3.1+
DETAILED OPERATING SYSTEM SUPPORT
SSL CERTIFICATES (CLIENT SIDE)
SSL CERTIFICATES (SERVER SIDE)  
S/MIME
CODE SIGNING
Windows XP (SP1, SP2) ? N/A ? ?
Windows XP SP3 ? N/A Partial Partial
Windows Vista ? N/A ? Partial
Windows 7 ? N/A ? Partial
Windows 8 ? N/A ? ?
Windows Server 2003, SP1, SP2 ? ? ? ?
Windows Server 2003 SP1 & SP2 w/ KB 938397 ? ? ? N/A
Windows Server 2003 SP2 w/ KB 968730 ? ? Partial N/A
Windows Server 2008 & 2008 R2 ? ? ? Partial
Windows Server 2012 & 2012 R2 ? ? ? ?
Windows Phone 5 ? N/A ? N/A
Windows Phone 6 ? N/A ? N/A
Windows Phone 7 ? N/A ? N/A
Windows Phone 8 ? N/A ? N/A

Install KB 938397 on Windows Server 2003 to enable the same SHA2 compatibility as Windows XP SP3.
Install KB 968730 on XP SP3 or Server 2003 to fix an issue when authenticating to a 2008 server using SHA2.

EMAIL CLIENTS
VERIFY SHA1 SIGNED EMAIL  
VERIFY SHA256 SIGNED EMAIL  
SEND SHA1 SIGNED EMAIL  
SEND SHA256 SIGNED EMAIL
Mozilla Thunderbird 24 on XP SP3 ? ? ? N/A [4]
IBM Notes 8 [8] ? ? ? ?
IBM Notes 9 [8] ? ? ? ?
Outlook 2003 / 2007 on XP SP3 [1] [2] ? ? ? ?
Outlook 2007 on Windows 7 [1] [2] ? ? ? ?

Set Outlook Hash Algorithm to SHA1

Outlook 2003: Tools > Options > Settings > Security > Settings > Hash Algorithm > SHA1

Outlook 2007, 2010, 2013: File > Options > Trust Center > Trust Center Settings > E-Mail Security > Settings > Hash Algorithm > SHA1

WORD PROCESSORS
VERIFY SHA1
SIGNED DOCUMENT  
VERIFY SHA256
SIGNED DOCUMENT  
PLACE SHA1 SIGNATURE WITH
SHA256 CERTIFICATE  
PLACE SHA256 SIGNATURE WITH
SHA256 CERTIFICATE
Word 2003 & 2007 on XP SP3 [7] ? N/A ? ?
LibreOffice Writer 4.2 on XP SP3 [7] ? N/A ? N/A
CODE SIGNING
EXECUTABLES  
KERNEL DRIVERS  
VBA MACROS: OFFICE 2003, 2007, 2010  
VBA MACROS: OFFICE 2013
Windows XP (SP1, SP2) ? ? ? N/A
Windows XP SP3 ? ? ? N/A
Windows Vista ? ? ? N/A
Windows 7 ? ? ? ?
Windows 8 ? ? ? ?
SAFENET iKEY / eTOKEN COMPATIBILITY
WORKS WITH SHA2 CERTIFICATE  
PLACE SHA1 SIGNATURE  
PLACE SHA2 SIGNATURE
iKey 4000 [5] ? ? ?
eToken 5100 [6] ? ? ?
MAINFRAME
MINIMUM VERSION REQUIRED
IBM z/OS [11] v1r10
SERVICES
NOTES
Belgian Online Government Services No SHA2 Support
Issue PersonalSign3 as SHA1
FDA ESG Works with SHA2
FDA Encrypted email FDA S/MIME firewall cannot handle SHA2
SOURCES

[1] SHA2 and Windows
[2] Common questions about SHA2 and Windows
[3] OpenSSL Changelog
[4] Bug 222179 – User preferences should control ciphers used when sending encrypted S/MIME messages
[5] iKey 4000 Specifications
[6] eToken 5100 Specifications
[8] IBM Notes SHA2 Support
[9] IBM Domino – No SHA2
[10] IBM HTTP Server
[11] IBM z/OS