[ovs-dev] Bug#828478: [PATCH] ovs-pki: Use SHA-512 message digest when available.
Ben Pfaff
blp at ovn.org
Sun Jun 26 18:05:35 UTC 2016
The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in
2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
XenServer did not support SHA-512.
This commit detects support for SHA-512 and uses it if available, so it
should avoid the problem encountered previously.
CC: 828478 at bugs.debian.org
Reported-at: https://bugs.debian.org/828478
Reported-by: Kurt Roeckx <kurt at roeckx.be>
Signed-off-by: Ben Pfaff <blp at ovn.org>
---
AUTHORS | 1 +
utilities/ovs-pki.in | 15 +++++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index 704ba40..a893330 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -367,6 +367,7 @@ Konstantin Khorenko khorenko at openvz.org
Kris zhang zhang.kris at gmail.com
Krishna Miriyala krishna at nicira.com
Krishna Mohan Elluru elluru.kri.mohan at hpe.com
+Kurt Roeckx kurt at roeckx.be
Len Gao leng at vmware.com
Logan Rosen logatronico at gmail.com
Luca Falavigna dktrkranz at debian.org
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 9b2b5aa..17497a8 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -248,7 +248,18 @@ if test "$command" = "init"; then
# Write CA configuration file.
if test ! -e ca.cnf; then
- sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF'
+ if echo | openssl dgst -sha512 >/dev/null 2>&1; then
+ md=sha512
+ elif echo | openssl dgst -sha1 >/dev/null 2>&1; then
+ md=sha1
+ else
+ echo "$0: openssl does not support sha512 or sha1" >&2
+ exit 1
+ fi
+ sed "s/@ca@/$ca/g
+s/@curr_date@/$curr_date/g
+s/@md@/$md/g
+" > ca.cnf <<'EOF'
[ req ]
prompt = no
distinguished_name = req_distinguished_name
@@ -274,7 +285,7 @@ private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = sha1 # message digest to use
+default_md = @md@ # message digest to use
policy = policy # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
--
2.1.3
More information about the dev
mailing list