ovs-pki: Use SHA-512 instead of MD5 as message digest.

This fixes numerous testsuite failures of the form "SSL_connect:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
digest algorithm" on systems that disable MD5 in OpenSSL.  Centos 7 is one
example.  Presumably it increase security as well for anyone who generates
certificates based on a new configuration created by the new ovs-pki.

Reported-by: Robert Strickler <anomalyst@gmail.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>

diff --git a/AUTHORS b/AUTHORS
index e3fe7ba..47bbd82 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -268,6 +268,7 @@ Ralf Heiringhoff        ralf@frosty-geek.net
 Ram Jothikumar          rjothikumar@nicira.com
 Ramana Reddy            gtvrreddy@gmail.com
 Rob Sherwood            rob.sherwood@bigswitch.com
+Robert Strickler        anomalyst@gmail.com
 Roger Leigh             rleigh@codelibre.net
 Rogério Vinhal Nunes
 Roman Sokolkov          rsokolkov@gmail.com

diff --git a/NEWS b/NEWS
index 6cbb315..f9ea90f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ Post-v2.3.0
      * "resubmit" actions may now be included in action sets.  The resubmit
        is executed last, and only if the action set has no "output" or "group"
        action.
+   - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because
+     MD5 is no longer secure and some operating systems have started to disable
+     it in OpenSSL.
    - ovsdb-server: New OVSDB protocol extension allows inequality tests on
      "optional scalar" columns.  See ovsdb-server(1) for details.
    - test-controller has been renamed ovs-testcontroller at request of users

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 6081a5e..510f811 100755 (executable)
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = md5                   # md to use
+default_md     = sha512                # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option