[ovs-dev] [PATCH] ovs-pki: Use SHA-512 instead of MD5 as message digest.

Robert Strickler anomalyst at gmail.com
Fri Sep 19 23:17:59 UTC 2014 

msg digest changes to add Bens (blp) patch get reverted.
utilities/ovs-pki
utilities/ovs-pki.in
openvswitch-2.3.0/tests/pki/controllerca/ca.cnf
openvswitch-2.3.0/tests/pki/switchca/ca.cnf

files where default_md is assigned all revert after:
(cd ~/rpmbuild/BUILD/openvswitch-2.3.0 && make clean && rpmbuild -bb
rhel/openvswitch.spec)

ne1 know what the correct file to change to have it propagate?
revert as well *

On Thu, Sep 18, 2014 at 10:09 PM, Ben Pfaff <blp at nicira.com> wrote:

> This fixes numerous testsuite failures of the form "SSL_connect:
> error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
> digest algorithm" on systems that disable MD5 in OpenSSL.  Centos 7 is one
> example.  Presumably it increase security as well for anyone who generates
> certificates based on a new configuration created by the new ovs-pki.
>
> Reported-by: Robert Strickler <anomalyst at gmail.com>
> Signed-off-by: Ben Pfaff <blp at nicira.com>
> ---
>  AUTHORS              | 1 +
>  NEWS                 | 3 +++
>  utilities/ovs-pki.in | 4 ++--
>  3 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/AUTHORS b/AUTHORS
> index e3fe7ba..47bbd82 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -268,6 +268,7 @@ Ralf Heiringhoff        ralf at frosty-geek.net
>  Ram Jothikumar          rjothikumar at nicira.com
>  Ramana Reddy            gtvrreddy at gmail.com
>  Rob Sherwood            rob.sherwood at bigswitch.com
> +Robert Strickler        anomalyst at gmail.com
>  Roger Leigh             rleigh at codelibre.net
>  Rogério Vinhal Nunes
>  Roman Sokolkov          rsokolkov at gmail.com
> diff --git a/NEWS b/NEWS
> index 6cbb315..f9ea90f 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -20,6 +20,9 @@ Post-v2.3.0
>       * "resubmit" actions may now be included in action sets.  The
> resubmit
>         is executed last, and only if the action set has no "output" or
> "group"
>         action.
> +   - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because
> +     MD5 is no longer secure and some operating systems have started to
> disable
> +     it in OpenSSL.
>     - ovsdb-server: New OVSDB protocol extension allows inequality tests on
>       "optional scalar" columns.  See ovsdb-server(1) for details.
>     - test-controller has been renamed ovs-testcontroller at request of
> users
> diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
> index 6081a5e..8745355 100755
> --- a/utilities/ovs-pki.in
> +++ b/utilities/ovs-pki.in
> @@ -1,6 +1,6 @@
>  #! /bin/sh
>
> -# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
> +# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
>  #
>  # Licensed under the Apache License, Version 2.0 (the "License");
>  # you may not use this file except in compliance with the License.
> @@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
>  RANDFILE       = $dir/private/.rand    # random number file
>  default_days   = 3650                  # how long to certify for
>  default_crl_days= 30                   # how long before next CRL
> -default_md     = md5                   # md to use
> +default_md     = sha512                # md to use
>  policy         = policy                # default policy
>  email_in_dn    = no                    # Don't add the email into cert DN
>  name_opt       = ca_default            # Subject name display option
> --
> 1.9.1
>
>

More information about the dev mailing list