[ovs-dev] [PATCH] ovs-pki: Use SHA-512 instead of MD5 as message digest.
Ben Pfaff
blp at nicira.com
Fri Sep 19 05:09:58 UTC 2014
This fixes numerous testsuite failures of the form "SSL_connect:
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one
example. Presumably it increase security as well for anyone who generates
certificates based on a new configuration created by the new ovs-pki.
Reported-by: Robert Strickler <anomalyst at gmail.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
AUTHORS | 1 +
NEWS | 3 +++
utilities/ovs-pki.in | 4 ++--
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index e3fe7ba..47bbd82 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -268,6 +268,7 @@ Ralf Heiringhoff ralf at frosty-geek.net
Ram Jothikumar rjothikumar at nicira.com
Ramana Reddy gtvrreddy at gmail.com
Rob Sherwood rob.sherwood at bigswitch.com
+Robert Strickler anomalyst at gmail.com
Roger Leigh rleigh at codelibre.net
Rogério Vinhal Nunes
Roman Sokolkov rsokolkov at gmail.com
diff --git a/NEWS b/NEWS
index 6cbb315..f9ea90f 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ Post-v2.3.0
* "resubmit" actions may now be included in action sets. The resubmit
is executed last, and only if the action set has no "output" or "group"
action.
+ - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because
+ MD5 is no longer secure and some operating systems have started to disable
+ it in OpenSSL.
- ovsdb-server: New OVSDB protocol extension allows inequality tests on
"optional scalar" columns. See ovsdb-server(1) for details.
- test-controller has been renamed ovs-testcontroller at request of users
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 6081a5e..8745355 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
#! /bin/sh
-# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = md5 # md to use
+default_md = sha512 # md to use
policy = policy # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
--
1.9.1
More information about the dev
mailing list