From 9ff33ca75e9fccdcfd392a7431a6ccc0732c21f1 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Fri, 19 Sep 2014 16:17:09 -0700 Subject: [PATCH] ovs-pki: Use SHA-512 instead of MD5 as message digest. This fixes numerous testsuite failures of the form "SSL_connect: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one example. Presumably it increase security as well for anyone who generates certificates based on a new configuration created by the new ovs-pki. Reported-by: Robert Strickler Signed-off-by: Ben Pfaff --- AUTHORS | 1 + NEWS | 3 +++ utilities/ovs-pki.in | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/AUTHORS b/AUTHORS index e3fe7ba07..47bbd8251 100644 --- a/AUTHORS +++ b/AUTHORS @@ -268,6 +268,7 @@ Ralf Heiringhoff ralf@frosty-geek.net Ram Jothikumar rjothikumar@nicira.com Ramana Reddy gtvrreddy@gmail.com Rob Sherwood rob.sherwood@bigswitch.com +Robert Strickler anomalyst@gmail.com Roger Leigh rleigh@codelibre.net Rogério Vinhal Nunes Roman Sokolkov rsokolkov@gmail.com diff --git a/NEWS b/NEWS index 6cbb315c2..f9ea90fb5 100644 --- a/NEWS +++ b/NEWS @@ -20,6 +20,9 @@ Post-v2.3.0 * "resubmit" actions may now be included in action sets. The resubmit is executed last, and only if the action set has no "output" or "group" action. + - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because + MD5 is no longer secure and some operating systems have started to disable + it in OpenSSL. - ovsdb-server: New OVSDB protocol extension allows inequality tests on "optional scalar" columns. See ovsdb-server(1) for details. - test-controller has been renamed ovs-testcontroller at request of users diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 6081a5e22..510f8110d 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -1,6 +1,6 @@ #! /bin/sh -# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc. +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = md5 # md to use +default_md = sha512 # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option -- 2.20.1