Basic support of RFC 6594 #259
Conversation
Set SHA256 as a default digest for RSA/DSA SSHFP records
There was a problem hiding this comment.
The problem is that doing this will mean that any currently-working configurations relying on SHA1 fingerprints will stop working unless the DNS also contains the corresponding SHA256 records.
edit: actually there is a check hostkey_digest_type != dnskey_digest_type which will override the default type. If I'm reading this right the check inside the loop means it'll always end up using the hash algos returned by DNS and your change won't have any effect. (Whether or not its current behaviour is desirable is a separate question).
|
The behaviour was changed in b75a80f such that it'll verify every fingerprint available to it and bail if any fail to match. Additional discussion available in https://bugzilla.mindrot.org/show_bug.cgi?id=3322 |
Set SHA256 as a default digest for RSA/DSA SSHFP records