ovs-pki: Use SHA-512 instead of SHA-1 as message digest.

The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because XenServer did not support SHA-512. It has been a few years, so let's try again. CC: 828478@bugs.debian.org Reported-at: https://bugs.debian.org/828478 Reported-by: Kurt Roeckx <kurt@roeckx.be> Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Ryan Moats <rmoats@us.ibm.com>
2025-08-22 09:58:01 +00:00 · 2016-07-01 18:05:40 -07:00 · 2016-07-01 18:05:40 -07:00 · 29dd784d76
commit 29dd784d76
parent f752508619
2 changed files with 5 additions and 1 deletions
--- a/4
+++ b/4
@ -87,6 +87,10 @@ Post-v2.5.0
     watch with tcpdump
   - Introduce --no-self-confinement flag that allows daemons to work with
     sockets outside their run directory.
+   - ovs-pki: Changed message digest algorithm from SHA-1 to SHA-512 because
+     SHA-1 is no longer secure and some operating systems have started to
+     disable it in OpenSSL.
+

 v2.5.0 - 26 Feb 2016
 ---------------------
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = sha1                  # message digest to use
+default_md     = sha512                # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option