On 15.11.2018 13:46, Bert Huijben wrote: > Webbrowsers are moving away from supporting MD5 in certificates. Should we > also move to more secure hashes in our tests?
I don't think it matters for the tests; we'd effectively be testing OpenSSL, not Serf, right? Also, the system OpenSSL (and hence default pyopenssl) on macOS is still 0.9.x and that doesn't support anything newer than SHA1, IIRC. That's just a complication for developers, of course, not for users. -- Brane > On Fri, Nov 2, 2018 at 8:11 AM, <br...@apache.org> wrote: > >> Author: brane >> Date: Fri Nov 2 07:11:48 2018 >> New Revision: 1845542 >> >> URL: http://svn.apache.org/viewvc?rev=1845542&view=rev >> Log: >> * test/certs/create_certs.py (create_crl): Support versions of PyOpenSSL >> that >> require that the digest parameter is set explicitly in crl.export(). >> >> Suggested by: jamessan >> >> Modified: >> serf/trunk/test/certs/create_certs.py >> >> Modified: serf/trunk/test/certs/create_certs.py >> URL: http://svn.apache.org/viewvc/serf/trunk/test/certs/create_ >> certs.py?rev=1845542&r1=1845541&r2=1845542&view=diff >> ============================================================ >> ================== >> --- serf/trunk/test/certs/create_certs.py (original) >> +++ serf/trunk/test/certs/create_certs.py Fri Nov 2 07:11:48 2018 >> @@ -78,7 +78,13 @@ def create_crl(revokedcert, cakey, cacer >> revoked.set_rev_date(now_str) # revoked as of now >> >> crl.add_revoked(revoked) >> - open(crlfile, "wt").write(crl.export(cacert, cakey, >> days=next_crl_days)) >> + try: >> + exported = crl.export(cacert, cakey, days=next_crl_days, >> digest=b"md5") >> + except TypeError: >> + # Some very old versions of pyopenssl (such as the one on macOS) >> + # do not support the 'digest' keyword argument. >> + exported = crl.export(cacert, cakey, days=next_crl_days) >> + open(crlfile, "wt").write(exported) >> >> # subjectAltName >> def create_cert(subjectkey, certfile, issuer=None, issuerkey=None, >> country='', >> >> >>
