ovs-pki: Use SHA-512 instead of MD5 as message digest.

This fixes numerous testsuite failures of the form "SSL_connect: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one example. Presumably it increase security as well for anyone who generates certificates based on a new configuration created by the new ovs-pki. Reported-by: Robert Strickler <anomalyst@gmail.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
2025-08-22 01:51:26 +00:00 · 2014-09-19 16:17:09 -07:00 · 2014-09-19 16:17:09 -07:00 · 9ff33ca75e
commit 9ff33ca75e
parent f2eee18911
3 changed files with 6 additions and 2 deletions
--- a/1
+++ b/1
@ -268,6 +268,7 @@ Ralf Heiringhoff        ralf@frosty-geek.net
 Ram Jothikumar          rjothikumar@nicira.com
 Ramana Reddy            gtvrreddy@gmail.com
 Rob Sherwood            rob.sherwood@bigswitch.com
+Robert Strickler        anomalyst@gmail.com
 Roger Leigh             rleigh@codelibre.net
 Rogério Vinhal Nunes
 Roman Sokolkov          rsokolkov@gmail.com
--- a/3
+++ b/3
@ -20,6 +20,9 @@ Post-v2.3.0
     * "resubmit" actions may now be included in action sets.  The resubmit
       is executed last, and only if the action set has no "output" or "group"
       action.
+   - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because
+     MD5 is no longer secure and some operating systems have started to disable
+     it in OpenSSL.
   - ovsdb-server: New OVSDB protocol extension allows inequality tests on
     "optional scalar" columns.  See ovsdb-server(1) for details.
   - test-controller has been renamed ovs-testcontroller at request of users
--- a/utilities/ovs-pki.in
+++ b/utilities/ovs-pki.in
@ -1,6 +1,6 @@
 #! /bin/sh

-# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -274,7 +274,7 @@ private_key    = $dir/private/cakey.pem# CA private key
 RANDFILE       = $dir/private/.rand    # random number file
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = md5                   # md to use
+default_md     = sha512                # message digest to use
 policy         = policy                # default policy
 email_in_dn    = no                    # Don't add the email into cert DN
 name_opt       = ca_default            # Subject name display option