ovs-pki: Use SHA-512 instead of SHA-1 as message digest.

The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
OVS unit tests, which use SHA-1.  We last tried to switch to SHA-512 in
2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
XenServer did not support SHA-512.  It has been a few years, so let's try
again.

CC: 828478@bugs.debian.org
Reported-at: https://bugs.debian.org/828478
Reported-by: Kurt Roeckx <kurt@roeckx.be>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Ryan Moats <rmoats@us.ibm.com>

diff --git a/NEWS b/NEWS
index 1e324dc..890e96e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -87,6 +87,10 @@ Post-v2.5.0
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with
      sockets outside their run directory.
+   - ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because
+     SHA-1 is no longer secure and some operating systems have started to
+     disable it in OpenSSL.
+
 
 v2.5.0 - 26 Feb 2016
 ---------------------

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 9b2b5aa..7a992a5 100755 (executable)
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = sha1                  # message digest to use
+default_md     = sha512                # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option