Public bug reported:
nova/crypto.py:generate_winrm_x509_cert() generates certs with default
SHA-1 digest.
The call to 'openssl req' does not specify -digest option nor
certificate config file sets digest, so certificates are generated with
SHA-1 digest. SHA-1 is not considered to be a secure algorithm for
certificates' digest.
It would be preferable to:
1) let user specify digest algorithm via a config option
2) default to SHA-256
** Affects: nova
Importance: Undecided
Status: New
** Description changed:
nova/crypto.py:generate_winrm_x509_cert() generates certs with default
SHA-1 digest.
The call to 'openssl req' does not specify -digest option nor
certificate config file sets digest, so certificates are generated with
- SHA-1 digest. SHA-1 is not considered to be a secure algorithm.
+ SHA-1 digest. SHA-1 is not considered to be a secure algorithm for
+ certificates' digest.
It would be preferable to:
1) let user specify digest algorithm via a config option
2) default to SHA-256
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1516703
Title:
crypto.py generates certs with SHA-1 digest
Status in OpenStack Compute (nova):
New
Bug description:
nova/crypto.py:generate_winrm_x509_cert() generates certs with default
SHA-1 digest.
The call to 'openssl req' does not specify -digest option nor
certificate config file sets digest, so certificates are generated
with SHA-1 digest. SHA-1 is not considered to be a secure algorithm
for certificates' digest.
It would be preferable to:
1) let user specify digest algorithm via a config option
2) default to SHA-256
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1516703/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
