From 29dd784d7634e98f16728343df2e57e9fd9d26f2 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Fri, 1 Jul 2016 18:05:40 -0700 Subject: [PATCH] ovs-pki: Use SHA-512 instead of SHA-1 as message digest. The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because XenServer did not support SHA-512. It has been a few years, so let's try again. CC: 828478@bugs.debian.org Reported-at: https://bugs.debian.org/828478 Reported-by: Kurt Roeckx Signed-off-by: Ben Pfaff Acked-by: Ryan Moats --- NEWS | 4 ++++ utilities/ovs-pki.in | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 1e324dc66..890e96e09 100644 --- a/NEWS +++ b/NEWS @@ -87,6 +87,10 @@ Post-v2.5.0 watch with tcpdump - Introduce --no-self-confinement flag that allows daemons to work with sockets outside their run directory. + - ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because + SHA-1 is no longer secure and some operating systems have started to + disable it in OpenSSL. + v2.5.0 - 26 Feb 2016 --------------------- diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 9b2b5aa28..7a992a594 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # message digest to use +default_md = sha512 # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option -- 2.20.1