to generate a sample csr with sha256 sig use:
openssl req -new -sha256    -newkey rsa:2048 -nodes -out example_com_sha256.csr    -keyout example_com_sha256.key    -subj "/C=US/ST=/L=/O=/CN=example.com"

to parse the csr with openssl (command line) use:
openssl req -in example_com_sha256.csr    -noout -text

sample output:
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a7:7a:17:c4:17:72:8e:5b:36:36:05:8f:57:10:
                    a5:b9:f2:4b:05:9e:88:62:bc:8b:a5:ad:c3:6a:41:
                    b5:31:25:cc:86:7c:99:6b:f4:7f:74:a1:01:93:95:
                    b9:3e:b7:dc:b4:b4:59:3c:ff:22:8c:d5:87:75:44:
                    93:9c:19:de:08:42:b2:fd:88:eb:71:6b:8b:21:4a:
                    06:66:9c:6d:2b:10:bb:f5:e8:7c:a2:3a:ae:51:86:
                    51:3a:d1:96:02:93:f1:de:3a:68:06:6d:36:20:41:
                    b4:09:d8:ed:74:5e:ff:ae:ba:26:84:ac:4d:6a:30:
                    6a:b4:01:ec:3a:a0:f9:5c:08:5c:6c:5e:1f:f2:11:
                    2c:11:a1:3d:44:17:79:33:0a:97:a0:4e:b8:c3:81:
                    e4:58:d7:10:b3:50:43:af:9e:4b:b9:05:e7:5d:da:
                    78:b1:85:c4:36:a7:d5:b2:82:7a:1a:ab:4c:6c:98:
                    a1:b5:6c:1a:99:04:18:2b:8d:80:2f:11:23:1d:41:
                    53:7a:15:39:2b:84:23:bf:2d:b0:32:5a:7d:0d:d0:
                    3f:ac:d3:66:9c:9f:a2:df:40:4b:0d:9c:98:e4:64:
                    44:b7:58:1d:54:75:07:47:b9:03:e5:57:10:d3:1a:
                    ac:85:c6:f1:19:1c:df:a6:33:12:25:0b:ee:9a:fb:
                    72:93
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
        48:ac:2e:08:93:95:ec:c3:12:ab:88:33:1f:7f:37:c3:5a:9b:
        6a:9a:b3:ea:35:ca:f0:1d:40:47:f0:31:8f:f3:36:b4:3d:5d:
        ee:74:48:fe:1b:43:4b:78:d7:97:d5:d5:77:8f:ba:51:db:35:
        75:c4:89:dc:b6:49:86:4e:4c:42:e7:01:e3:cb:72:da:9b:94:
        d1:ed:b7:59:be:f6:eb:44:68:54:e5:10:0c:bf:7a:9f:48:18:
        86:f2:f2:84:ca:a1:3b:48:be:d1:4a:40:22:12:7b:c0:42:a5:
        a0:ce:0f:43:17:44:e2:cf:e8:27:1d:71:d5:92:d8:de:bd:82:
        c2:11:f2:73:8c:c3:ab:5e:a1:64:78:af:a6:10:19:b1:ed:b2:
        fb:4c:bb:66:20:fe:1a:34:af:43:9f:4d:4e:6d:a2:f0:d0:df:
        33:93:e5:a7:d5:dc:2f:47:e3:56:31:fd:50:d2:2e:83:2f:d2:
        b2:fb:a8:7d:ce:4a:1f:a1:14:fc:45:92:ca:1c:85:3a:e7:32:
        e4:a8:13:fe:54:9a:ee:25:02:26:d3:b5:e1:96:08:f3:c8:36:
        59:ef:f5:46:1c:62:e6:58:ea:d4:86:a8:3f:ed:92:77:d7:eb:
        d3:92:a1:91:8e:2c:1c:4e:c2:12:b0:c9:8b:3b:17:99:32:03:
        e3:9e:a5:dd

should i submit a new patch with
#if OPENSSL_VERSION_NUMBER >= 0x0090708fL 
instead of
#ifndef OPENSSL_NO_SHA256
?

Mark, yes, you probably should. It will also help a lot if you include test cases for the new functionality. Make sure those tests also run with older versions of openssl though!

cheers,
Derick

hi,

Thanks for the patch, I will apply it asap but it won't make it for the next 
releases of 5.3 or 5.4 as we are already in release phases.

Btw, can you add some tests too please?

About the patch, yes, please use the openssl version check instead. As what is 
done now won't work smoothly with older versions.

As of getting a svn account (asked per email but adding answer here too), we 
usually give one after that one has provided a couple of patches :)

Thanks for your work!

added openssl version check, added new patch with .phpt test

Changed name of const to OPENSSL_ALGO_RMD160 instead of OPENSSL_ALGO_RIPEMD160

Is there anything preventing this bugfix/patch from being committed into git?

Modified pastebin example to show simpler test case:
http://pastebin.com/qdCyC0Pe

older pastebin example now available at:
http://pastebin.com/4LQDqMD5

I just added a patch, updated to php 5.4.4.  Hopefully this can make it into php 5.4.5.

hi!

that looks good now! Thanks!

Could you add the latest examples as extra tests as well please?

I will commit it to master this week.

Those new examples are also all be in the openssl-add-sig-algs.txt patch file I uploaded yesterday.  So we should be good to go.

This issue is an important feature to add to PHP, considering
"SHA-1 has recently been demonstrated to provide less than 80 bits of security for digital signatures; at the publication of this Recommendation, the security strength against collisions is assessed at 69 bits. The use of SHA-1 is not recommended for the generation of digital signatures in new systems; new systems should use one of the larger hash functions. (SHA-224, SHA-256, SHA-384 and SHA-512)"
https://wiki.mozilla.org/CA:MD5and1024

Patch compiles fine, I asked the RMs if it is fine to merge into 5.3/4.

Will commit all at once once I got an answer.

Thanks for your work and patience!

updated version to php 5.4.5

PHP 5.4 release manager stas had me create a pull request for this bug.
https://github.com/php/php-src/pull/196

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.