ovs-pki: Use SHA-1 instead of SHA-512 as message digest.

Commit 9ff33ca7 (ovs-pki: Use SHA-512 instead of MD5 as message
digest.) changes the message digest algorithm to SHA-512.  This
seems to break the unit tests on some xenserver 5.6/6.0 builds
causing the error: "SSL_connect: error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm".

As a solution, this commit changes the message digest algorithm
to SHA-1 which works for both the above xenserver builds and
centos 7.

VMware-BZ: #1304530

Signed-off-by: Alex Wang <alexw@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>

diff --git a/NEWS b/NEWS
index 8bec498..230e7cf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,9 @@
 v2.3.1 - xx xxx xxxx
 ---------------------
    - Compatibility with autoconf 2.63 (previously >=2.64)
-
+   - ovs-pki: Changed message digest algorithm from MD5 to SHA-1 because
+     MD5 is no longer secure and some operating systems have started to disable
+     it in OpenSSL.
 
 v2.3.0 - 14 Aug 2014
 ---------------------

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 6081a5e..976fe79 100755 (executable)
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = md5                   # md to use
+default_md     = sha1                  # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option