ovs-pki: Use SHA-512 instead of SHA-1 as message digest.

The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in 2014 with commit 9ff33ca ("ovs-pki: Use SHA-512 instead of MD5 as message digest."), but we had to downgrade to SHA-1 in commit 4a1f961 ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because XenServer did not support SHA-512. It has been a few years, so let's try again. CC: 828478@bugs.debian.org Reported-at: https://bugs.debian.org/828478 Reported-by: Kurt Roeckx <kurt@roeckx.be> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Ryan Moats <rmoats@us.ibm.com>
openvswitch · Jul 22, 2016 · 29dd784 · 29dd784
1 parent f752508
commit 29dd784
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/NEWS b/NEWS
@@ -87,6 +87,10 @@ Post-v2.5.0
      watch with tcpdump
    - Introduce --no-self-confinement flag that allows daemons to work with
      sockets outside their run directory.
+   - ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because
+     SHA-1 is no longer secure and some operating systems have started to
+     disable it in OpenSSL.
+
 
 v2.5.0 - 26 Feb 2016
 ---------------------

diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
@@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = sha1                  # message digest to use
+default_md     = sha512                # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option