| Message ID | 1467421540-11080-1-git-send-email-blp@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
"dev" <dev-bounces@openvswitch.org> wrote on 07/01/2016 08:05:40 PM: > From: Ben Pfaff <blp@ovn.org> > To: dev@openvswitch.org > Cc: Ben Pfaff <blp@ovn.org>, Kurt Roeckx <kurt@roeckx.be>, > 828478@bugs.debian.org > Date: 07/01/2016 08:06 PM > Subject: [ovs-dev] [PATCH v2] ovs-pki: Use SHA-512 instead of SHA-1 > as message digest. > Sent by: "dev" <dev-bounces@openvswitch.org> > > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the > OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as > message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because > XenServer did not support SHA-512. It has been a few years, so let's try > again. > > CC: 828478@bugs.debian.org > Reported-at: https://bugs.debian.org/828478 > Reported-by: Kurt Roeckx <kurt@roeckx.be> > Signed-off-by: Ben Pfaff <blp@ovn.org> > --- I'm sorta surprised there's been no action on this... I admit that I don't have XenServer to test against, but if they still aren't supporting SHA-512, then this would be another good reason for them to do so... Acked-by: Ryan Moats <rmoats@us.ibm.com>
On Wed, Jul 13, 2016 at 10:06:53PM -0500, Ryan Moats wrote: > "dev" <dev-bounces@openvswitch.org> wrote on 07/01/2016 08:05:40 PM: > > > From: Ben Pfaff <blp@ovn.org> > > To: dev@openvswitch.org > > Cc: Ben Pfaff <blp@ovn.org>, Kurt Roeckx <kurt@roeckx.be>, > > 828478@bugs.debian.org > > Date: 07/01/2016 08:06 PM > > Subject: [ovs-dev] [PATCH v2] ovs-pki: Use SHA-512 instead of SHA-1 > > as message digest. > > Sent by: "dev" <dev-bounces@openvswitch.org> > > > > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks > the > > OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in > > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as > > message digest."), but we had to downgrade to SHA-1 in commit > 4a1f9610682d > > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because > > XenServer did not support SHA-512. It has been a few years, so let's try > > again. > > > > CC: 828478@bugs.debian.org > > Reported-at: https://bugs.debian.org/828478 > > Reported-by: Kurt Roeckx <kurt@roeckx.be> > > Signed-off-by: Ben Pfaff <blp@ovn.org> > > --- > > I'm sorta surprised there's been no action on this... > > I admit that I don't have XenServer to test against, but > if they still aren't supporting SHA-512, then this would be > another good reason for them to do so... > > Acked-by: Ryan Moats <rmoats@us.ibm.com> Thanks for the review, I applied this to master and branch-2.5. Now I need to do a new Debian upload.
On Fri, Jul 22, 2016 at 01:28:19PM -0700, Ben Pfaff wrote: > On Wed, Jul 13, 2016 at 10:06:53PM -0500, Ryan Moats wrote: > > "dev" <dev-bounces@openvswitch.org> wrote on 07/01/2016 08:05:40 PM: > > > > > From: Ben Pfaff <blp@ovn.org> > > > To: dev@openvswitch.org > > > Cc: Ben Pfaff <blp@ovn.org>, Kurt Roeckx <kurt@roeckx.be>, > > > 828478@bugs.debian.org > > > Date: 07/01/2016 08:06 PM > > > Subject: [ovs-dev] [PATCH v2] ovs-pki: Use SHA-512 instead of SHA-1 > > > as message digest. > > > Sent by: "dev" <dev-bounces@openvswitch.org> > > > > > > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks > > the > > > OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in > > > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as > > > message digest."), but we had to downgrade to SHA-1 in commit > > 4a1f9610682d > > > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because > > > XenServer did not support SHA-512. It has been a few years, so let's try > > > again. > > > > > > CC: 828478@bugs.debian.org > > > Reported-at: https://bugs.debian.org/828478 > > > Reported-by: Kurt Roeckx <kurt@roeckx.be> > > > Signed-off-by: Ben Pfaff <blp@ovn.org> > > > --- > > > > I'm sorta surprised there's been no action on this... > > > > I admit that I don't have XenServer to test against, but > > if they still aren't supporting SHA-512, then this would be > > another good reason for them to do so... > > > > Acked-by: Ryan Moats <rmoats@us.ibm.com> > > Thanks for the review, I applied this to master and branch-2.5. > > Now I need to do a new Debian upload. Building openvswitch in unstable with libssl-dev 1.1.0c-1 works for me, even though 2.5.1~pre+git20160626-2 is older than your comment. Is the version in unstable recent enough and this bug should be closed, or is there anything pending to be uploaded? cu Adrian
diff --git a/NEWS b/NEWS index 802e7f8..e7b43d2 100644 --- a/NEWS +++ b/NEWS @@ -75,6 +75,10 @@ Post-v2.5.0 watch with tcpdump - Introduce --no-self-confinement flag that allows daemons to work with sockets outside their run directory. + - ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because + SHA-1 is no longer secure and some operating systems have started to + disable it in OpenSSL. + v2.5.0 - 26 Feb 2016 --------------------- diff --git a/utilities/ovs-pki.in b/utilities/ovs-pki.in index 9b2b5aa..7a992a5 100755 --- a/utilities/ovs-pki.in +++ b/utilities/ovs-pki.in @@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key RANDFILE = $dir/private/.rand # random number file default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL -default_md = sha1 # message digest to use +default_md = sha512 # message digest to use policy = policy # default policy email_in_dn = no # Don't add the email into cert DN name_opt = ca_default # Subject name display option
The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because XenServer did not support SHA-512. It has been a few years, so let's try again. CC: 828478@bugs.debian.org Reported-at: https://bugs.debian.org/828478 Reported-by: Kurt Roeckx <kurt@roeckx.be> Signed-off-by: Ben Pfaff <blp@ovn.org> --- v1->v2: Suggested by Kurt Roeckx; - Use sha512 unconditionally. - Drop AUTHORS update. - Add NEWS update. NEWS | 4 ++++ utilities/ovs-pki.in | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-)