Software and Hardware that Support SHA-2

Support for SHA-2 has improved over the last few years. Most browsers, platforms, mail clients, and mobile devices already support SHA-2. However, some older operating systems such as Windows XP pre-SP3 do not support SHA-2 encryption.

Many organizations will be able to convert to SHA-2 without running into user experience issues, and many may want to encourage users running older, less secure systems to upgrade.

This page lists the minimum version required for SHA-2 as well as some exceptions.


Browser & Server Support

Browser Minimum Browser Version
Chrome 26+
Firefox 1.5+
Internet Explorer 6+ (With XP SP3+)
Konqueror 3.5.6+
Mozilla 1.4+
Netscape 7.1+
Opera 9.0+
Safari 3+ (Ships with OS X 10.5)
Server Minimum Server Version
4D Server 14.01+
Amazon Web Services (AWS)1
Apache 2.0.63+ w/ OpenSSL 0.9.8o+
Barracuda Network Access Client 3.5+
Cisco ASA 5500 for AnyConnect VPN Sessions; 8.4(2)+ for other functionalities
Citrix Receiver Varies - See PDF (FIPS 140 & SHA-2 Line)
CrushFTP 7.1.0+
F5 BIG-IP 10.1.0+
IBM Domino Server2 9.0+ (Bundled with HTTP 8.5+)
IBM HTTP Server2 8.5+ (Bundled with Domino 9+)
IBM z/OS v1r10+
Java based products Java 1.4.2+
Mozilla NSS Based Products 3.8+
OpenSSL based products OpenSSL 0.9.8o+
Oracle Wallet Manager
Oracle Weblogic 10.3.1+
SonicOS (SonicWALL)
WebSphere MQ

Although AWS is SHA-2 compatible, instances of AWS are typically Virtual Private Servers. Therefore, AWS SHA-2 compatibility is dependent on the base server platform. Other AWS applications (such as Elastic Load Balancing (ELB)) support SHA-2 Certificates.

IBM Domino Server by itself does not currently support SHA-2 secured connections. To use SHA-2 SSL Certificates to secure your connection, you must use an HTTP proxy server that is set up to handle your incoming HTTPS requests. Domino 9.0 includes HTTP proxy server support and is configured so that you can use it with IBM HTTP Server (


OS Support

Operating System SSL Certificate Minimum OS Version Client Certificate Minimum OS Version
Android 2.3+ 2.3+
Apple iOS 3.0+ 3.0+
Blackberry 5.0+ 5.0+
Mac OS X 10.5+ 10.5+
Windows XP SP3+ XP SP3+ (Partial)
Windows Phone 7+ 7+
Windows Server 2003 SP2 +Hotfixes (Partial) 2003 SP2 +Hotfixes (Partial)

Detailed OS Compatibility

Operating System SSL Certificate (Client Side) SSL Certificate (Server Side) S/MIME Code Signing
Mac OS X 10.5+ N/A
Windows 8 N/A
Windows 7 N/A Partial
Windows Vista N/A Partial
Windows XP SP34 N/A Partial Partial
Windows Server 2012 & 2012 R2
Windows Server 2008 & 2008 R2 Partial
Windows Server 2003 w/ KB 938397 3, 4 Partial Partial
Windows Phone 8 N/A N/A
Windows Phone 7 N/A N/A

To enable the same SHA-2 compatibility on Windows Server 2003 as Windows XP SP3, see KB 938397.

To fix issues when authenticating from XP SP3 or Server 2003 to Server 2008 using SHA-2, see KB 968730.


Email Client Compatibility

Email Client Verify SHA-2
Signed E-Mail
Sign E-Mail
with SHA-2
IBM Notes 9+
Mac Mail on OS X 10.5+
Mozilla Thunderbird1.5+
Outlook 2007+ on Vista+

Document Signing Compatibility

Client Verify SHA-2
Signed Document
Place SHA-2 Signature
with SHA-2 certificate
Adobe Acrobat Pro 9+
Adobe Reader 9+ N/A
LibreOffice Writer 4.2 on Vista+
Word 2007+ on Vista+

Code Signing Compatibility

Operating System Authenticode Kernel Mode VBA Macros:
Office 2003, 2007, 2010
VBA Macros: Office 2013
Windows 8
Windows 7
Windows Vista N/A
Windows XP SP3 N/A

SafeNet eToken / iKey Compatibility

eToken / iKey Place SHA-2 Signature
eToken 5205
eToken 5200
eToken 5105
eToken 5100
iKey 4000