URL: https://github.com/SSSD/sssd/pull/5280 Author: alexey-tikhonov Title: #5280: p11_child: switch default ocsp_dgst to sha1 Action: opened
PR body: """ For details please see discussion at https://github.com/SSSD/sssd/pull/837#issuecomment-672831519 Resolves: https://github.com/SSSD/sssd/issues/5002 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5280/head:pr5280 git checkout pr5280
From 1ace8a5392543fa5deeaf9b6878b6683ded5f1a1 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov <atikh...@redhat.com> Date: Tue, 18 Aug 2020 14:37:04 +0200 Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1 For details please see discussion at https://github.com/SSSD/sssd/pull/837#issuecomment-672831519 Resolves: https://github.com/SSSD/sssd/issues/5002 --- src/man/sssd.conf.5.xml | 2 +- src/p11_child/p11_child_common_utils.c | 6 +++--- src/p11_child/p11_child_openssl.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 874a09c494..1c342c560a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -507,7 +507,7 @@ <listitem><para>sha512</para></listitem> </itemizedlist></para> <para> - Default: sha256 + Default: sha1 </para> <para>(NSS Version) This option is ignored, because NSS uses sha1 diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c index 6798752c75..95791b1f00 100644 --- a/src/p11_child/p11_child_common_utils.c +++ b/src/p11_child/p11_child_common_utils.c @@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx) cert_verify_opts->ocsp_default_responder = NULL; cert_verify_opts->ocsp_default_responder_signing_cert = NULL; cert_verify_opts->crl_file = NULL; - cert_verify_opts->ocsp_dgst = CKM_SHA256; + cert_verify_opts->ocsp_dgst = CKM_SHA_1; cert_verify_opts->soft_ocsp = false; cert_verify_opts->soft_crl = false; @@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, } else { DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported digest for OCSP [%s], " - "using default sha256.\n", &opts[c][OCSP_DGST_LEN]); - cert_verify_opts->ocsp_dgst = CKM_SHA256; + "using default sha1.\n", &opts[c][OCSP_DGST_LEN]); + cert_verify_opts->ocsp_dgst = CKM_SHA_1; } #endif } else if (strcasecmp(opts[c], "soft_ocsp") == 0) { diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c index 321cf162e0..04b3e1467b 100644 --- a/src/p11_child/p11_child_openssl.c +++ b/src/p11_child/p11_child_openssl.c @@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert) ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst); if (ocsp_dgst == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function " - "for OCSP, using default sha256.\n"); - ocsp_dgst = EVP_sha256(); + "for OCSP, using default sha1.\n"); + ocsp_dgst = EVP_sha1(); } cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer); if (cid == NULL) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
