From: Alex Wang Date: Mon, 22 Sep 2014 22:34:12 +0000 (-0700) Subject: ovs-pki: Use SHA-1 instead of SHA-512 as message digest. X-Git-Tag: v2.4.0~1363 X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=4a1f9610682d785e18fd38f86d81a66aa212789f ovs-pki: Use SHA-1 instead of SHA-512 as message digest. Commit 9ff33ca7 (ovs-pki: Use SHA-512 instead of MD5 as message digest.) changes the message digest algorithm to SHA-512. This seems to break the unit tests on some xenserver 5.6/6.0 builds causing the error: "SSL_connect: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm". As a solution, this commit changes the message digest algorithm to SHA-1 which works for both the above xenserver builds and centos 7. VMware-BZ: #1319116 Signed-off-by: Alex Wang Acked-by: Ben Pfaff --- diff --git a/NEWS b/NEWS index f9ea90fb5..a8bd45b68 100644 --- a/NEWS +++ b/NEWS @@ -20,7 +20,7 @@ Post-v2.3.0 * "resubmit" actions may now be included in action sets. The resubmit is executed last, and only if the action set has no "output" or "group" action. - - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because + - ovs-pki: Changed message digest algorithm from MD5 to SHA-1 because MD5 is no longer secure and some operating systems have started to disable it in OpenSSL. - ovsdb-server: New OVSDB protocol extension allows inequality tests on diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 510f8110d..470517808 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha512 # message digest to use +default_md = sha1 # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option