Message ID | 1466964335-14188-1-git-send-email-blp@ovn.org |
---|---|
State | Superseded |
Headers | show |
On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote: > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the > OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as > message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because > XenServer did not support SHA-512. > > This commit detects support for SHA-512 and uses it if available, so it > should avoid the problem encountered previously. Note that openssl has supported SHA-512 for a while. It's been supported since 0.9.8 which was released in 2005. So that support detection doesn't look like a good idea. You indicated that XenServer didn't support it. Did that change? From what I understand of the log it's that the certificate still using a weak digest. I guess we started to rejected SHA-1 by default now, which is actually a good thing. The browsers should stop supporting it soon too. I suggest you just switch to SHA-256 or SHA-512 by default. > diff --git a/AUTHORS b/AUTHORS > index 704ba40..a893330 100644 > --- a/AUTHORS > +++ b/AUTHORS > @@ -367,6 +367,7 @@ Konstantin Khorenko khorenko@openvz.org > Kris zhang zhang.kris@gmail.com > Krishna Miriyala krishna@nicira.com > Krishna Mohan Elluru elluru.kri.mohan@hpe.com > +Kurt Roeckx kurt@roeckx.be There really is no reason to add me, it's not like I contributed anything, someone else tried to build it and I just filed bugs based on that. Kurt
On Sun, Jun 26, 2016 at 08:55:04PM +0200, Kurt Roeckx wrote: > On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote: > > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the > > OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in > > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as > > message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d > > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because > > XenServer did not support SHA-512. > > > > This commit detects support for SHA-512 and uses it if available, so it > > should avoid the problem encountered previously. > > Note that openssl has supported SHA-512 for a while. It's been > supported since 0.9.8 which was released in 2005. So that support > detection doesn't look like a good idea. > > You indicated that XenServer didn't support it. Did that change? I don't know. I guess we could always just try again and see if XenServer folks complain again. Honestly I'd prefer to have a fixed choice. > From what I understand of the log it's that the certificate still > using a weak digest. I guess we started to rejected SHA-1 by > default now, which is actually a good thing. The browsers should > stop supporting it soon too. > > I suggest you just switch to SHA-256 or SHA-512 by default. > > > diff --git a/AUTHORS b/AUTHORS > > index 704ba40..a893330 100644 > > --- a/AUTHORS > > +++ b/AUTHORS > > @@ -367,6 +367,7 @@ Konstantin Khorenko khorenko@openvz.org > > Kris zhang zhang.kris@gmail.com > > Krishna Miriyala krishna@nicira.com > > Krishna Mohan Elluru elluru.kri.mohan@hpe.com > > +Kurt Roeckx kurt@roeckx.be > > There really is no reason to add me, it's not like I contributed > anything, someone else tried to build it and I just filed bugs > based on that. OK. I habitually add people who report bugs, since bug reporting is a kind of public service. I'll drop it for v2. Thanks, Ben.
diff --git a/AUTHORS b/AUTHORS index 704ba40..a893330 100644 --- a/AUTHORS +++ b/AUTHORS @@ -367,6 +367,7 @@ Konstantin Khorenko khorenko@openvz.org Kris zhang zhang.kris@gmail.com Krishna Miriyala krishna@nicira.com Krishna Mohan Elluru elluru.kri.mohan@hpe.com +Kurt Roeckx kurt@roeckx.be Len Gao leng@vmware.com Logan Rosen logatronico@gmail.com Luca Falavigna dktrkranz@debian.org diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 9b2b5aa..17497a8 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -248,7 +248,18 @@ if test "$command" = "init"; then # Write CA configuration file. if test ! -e ca.cnf; then - sed "s/@ca@/$ca/g;s/@curr_date@/$curr_date/g" > ca.cnf <<'EOF' + if echo | openssl dgst -sha512 >/dev/null 2>&1; then + md=sha512 + elif echo | openssl dgst -sha1 >/dev/null 2>&1; then + md=sha1 + else + echo "$0: openssl does not support sha512 or sha1" >&2 + exit 1 + fi + sed "s/@ca@/$ca/g +s/@curr_date@/$curr_date/g +s/@md@/$md/g +" > ca.cnf <<'EOF' [ req ] prompt = no distinguished_name = req_distinguished_name @@ -274,7 +285,7 @@ private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # message digest to use +default_md = @md@ # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option
The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because XenServer did not support SHA-512. This commit detects support for SHA-512 and uses it if available, so it should avoid the problem encountered previously. CC: 828478@bugs.debian.org Reported-at: https://bugs.debian.org/828478 Reported-by: Kurt Roeckx <kurt@roeckx.be> Signed-off-by: Ben Pfaff <blp@ovn.org> --- AUTHORS | 1 + utilities/ovs-pki.in | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-)