[ovs-dev] Bug#828478: [PATCH] ovs-pki: Use SHA-512 message digest when available.
Kurt Roeckx
kurt at roeckx.be
Sun Jun 26 18:55:04 UTC 2016
On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote:
> The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
> OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in
> 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
> message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
> ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
> XenServer did not support SHA-512.
>
> This commit detects support for SHA-512 and uses it if available, so it
> should avoid the problem encountered previously.
Note that openssl has supported SHA-512 for a while. It's been
supported since 0.9.8 which was released in 2005. So that support
detection doesn't look like a good idea.
You indicated that XenServer didn't support it. Did that change?
>From what I understand of the log it's that the certificate still
using a weak digest. I guess we started to rejected SHA-1 by
default now, which is actually a good thing. The browsers should
stop supporting it soon too.
I suggest you just switch to SHA-256 or SHA-512 by default.
> diff --git a/AUTHORS b/AUTHORS
> index 704ba40..a893330 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -367,6 +367,7 @@ Konstantin Khorenko khorenko at openvz.org
> Kris zhang zhang.kris at gmail.com
> Krishna Miriyala krishna at nicira.com
> Krishna Mohan Elluru elluru.kri.mohan at hpe.com
> +Kurt Roeckx kurt at roeckx.be
There really is no reason to add me, it's not like I contributed
anything, someone else tried to build it and I just filed bugs
based on that.
Kurt
More information about the dev
mailing list