The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in
2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
XenServer did not support SHA-512. It has been a few years, so let's try
again.
CC: [email protected]
Reported-at: https://bugs.debian.org/828478
Reported-by: Kurt Roeckx <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>
---
v1->v2: Suggested by Kurt Roeckx;
- Use sha512 unconditionally.
- Drop AUTHORS update.
- Add NEWS update.
NEWS | 4 ++++
utilities/ovs-pki.in | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 802e7f8..e7b43d2 100644
--- a/NEWS
+++ b/NEWS
@@ -75,6 +75,10 @@ Post-v2.5.0
watch with tcpdump
- Introduce --no-self-confinement flag that allows daemons to work with
sockets outside their run directory.
+ - ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because
+ SHA-1 is no longer secure and some operating systems have started to
+ disable it in OpenSSL.
+
v2.5.0 - 26 Feb 2016
---------------------
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 9b2b5aa..7a992a5 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = sha1 # message digest to use
+default_md = sha512 # message digest to use
policy = policy # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
--
2.1.3
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
