John,
I'll have a look at where/how the fingerprint method is used, if necessary I'll upgrade it to use SHA-256. Thanks for the pointers. Regards. ________________________________ From: John Kinsella <jlkin...@gmail.com> Sent: 02 December 2016 13:12:12 To: dev@cloudstack.apache.org Subject: Re: [DISCUSS] Bountycastle upgrade 2 thoughts: 1) I know this is partially git’s fault on the diff, and i know this is a standard gripe from me, but for reviewers things are much easier if syntax/whitespace changes are separated out into a separate patch from logic/functionality. 2) One thing that caught my eye was the SHA-1 use on the fingerprint. That got me looking around the codebase, and I see SHA-1/SHA1 sprinkled around. It’s not considered secure anymore [1]. Some of the uses are just for naming, that’s fine. I don’t think any of the use I saw was OMGFIXNOW. But at some point might be nice to replace all that with SHA-256. Would require a data migration, though. 3) Awesome, run with it. :) John 1: https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue > On Dec 1, 2016, at 10:17 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote: > > All, > > > I've sent a PR that will upgrade bountycastle dependency to the latest > version [1]. In terms of security, an upgrade is necessary though it would > also require for users (who are upgrading to 4.9.1.0, 4.10.0.0 or later) to > destroy old systemvms such as CPVM and SSVM so the agents that will be > started in new system vms will use the same dependency jar (version/release) > and use the same cipher suites as the mgmt server (i.e. there will be no > SSL-based communication issue afterwards) as provided by bountycastle v1.55. > > > Thoughts, feedback? > > > [1] https://github.com/apache/cloudstack/pull/1799 > > > Regards. > > rohit.ya...@shapeblue.com > www.shapeblue.com<http://www.shapeblue.com> > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > >
