Robert Strickler
2014-09-19 23:17:59 UTC
msg digest changes to add Bens (blp) patch get reverted.
utilities/ovs-pki
utilities/ovs-pki.in
openvswitch-2.3.0/tests/pki/controllerca/ca.cnf
openvswitch-2.3.0/tests/pki/switchca/ca.cnf
files where default_md is assigned all revert after:
(cd ~/rpmbuild/BUILD/openvswitch-2.3.0 && make clean && rpmbuild -bb
rhel/openvswitch.spec)
ne1 know what the correct file to change to have it propagate?
revert as well *
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140919/1f6ae008/attachment.html>
utilities/ovs-pki
utilities/ovs-pki.in
openvswitch-2.3.0/tests/pki/controllerca/ca.cnf
openvswitch-2.3.0/tests/pki/switchca/ca.cnf
files where default_md is assigned all revert after:
(cd ~/rpmbuild/BUILD/openvswitch-2.3.0 && make clean && rpmbuild -bb
rhel/openvswitch.spec)
ne1 know what the correct file to change to have it propagate?
revert as well *
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one
example. Presumably it increase security as well for anyone who generates
certificates based on a new configuration created by the new ovs-pki.
Reported-by: Robert Strickler <anomalyst at gmail.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
AUTHORS | 1 +
NEWS | 3 +++
utilities/ovs-pki.in | 4 ++--
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index e3fe7ba..47bbd82 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -268,6 +268,7 @@ Ralf Heiringhoff ralf at frosty-geek.net
Ram Jothikumar rjothikumar at nicira.com
Ramana Reddy gtvrreddy at gmail.com
Rob Sherwood rob.sherwood at bigswitch.com
+Robert Strickler anomalyst at gmail.com
Roger Leigh rleigh at codelibre.net
Rogério Vinhal Nunes
Roman Sokolkov rsokolkov at gmail.com
diff --git a/NEWS b/NEWS
index 6cbb315..f9ea90f 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ Post-v2.3.0
* "resubmit" actions may now be included in action sets. The
resubmit
is executed last, and only if the action set has no "output" or
"group"
action.
+ - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because
+ MD5 is no longer secure and some operating systems have started to
disable
+ it in OpenSSL.
- ovsdb-server: New OVSDB protocol extension allows inequality tests on
"optional scalar" columns. See ovsdb-server(1) for details.
- test-controller has been renamed ovs-testcontroller at request of
users
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 6081a5e..8745355 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
#! /bin/sh
-# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = md5 # md to use
+default_md = sha512 # md to use
policy = policy # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
--
1.9.1
-------------- next part --------------digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one
example. Presumably it increase security as well for anyone who generates
certificates based on a new configuration created by the new ovs-pki.
Reported-by: Robert Strickler <anomalyst at gmail.com>
Signed-off-by: Ben Pfaff <blp at nicira.com>
---
AUTHORS | 1 +
NEWS | 3 +++
utilities/ovs-pki.in | 4 ++--
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/AUTHORS b/AUTHORS
index e3fe7ba..47bbd82 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -268,6 +268,7 @@ Ralf Heiringhoff ralf at frosty-geek.net
Ram Jothikumar rjothikumar at nicira.com
Ramana Reddy gtvrreddy at gmail.com
Rob Sherwood rob.sherwood at bigswitch.com
+Robert Strickler anomalyst at gmail.com
Roger Leigh rleigh at codelibre.net
Rogério Vinhal Nunes
Roman Sokolkov rsokolkov at gmail.com
diff --git a/NEWS b/NEWS
index 6cbb315..f9ea90f 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ Post-v2.3.0
* "resubmit" actions may now be included in action sets. The
resubmit
is executed last, and only if the action set has no "output" or
"group"
action.
+ - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because
+ MD5 is no longer secure and some operating systems have started to
disable
+ it in OpenSSL.
- ovsdb-server: New OVSDB protocol extension allows inequality tests on
"optional scalar" columns. See ovsdb-server(1) for details.
- test-controller has been renamed ovs-testcontroller at request of
users
diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in
index 6081a5e..8745355 100755
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@@ -1,6 +1,6 @@
#! /bin/sh
-# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 3650 # how long to certify for
default_crl_days= 30 # how long before next CRL
-default_md = md5 # md to use
+default_md = sha512 # md to use
policy = policy # default policy
email_in_dn = no # Don't add the email into cert DN
name_opt = ca_default # Subject name display option
--
1.9.1
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/virt/attachments/20140919/1f6ae008/attachment.html>