<div dir="ltr"><div>msg digest changes to add Bens (blp) patch get reverted.</div><div>utilities/ovs-pki </div><div>utilities/<a href="http://ovs-pki.in">ovs-pki.in</a></div><div>openvswitch-2.3.0/tests/pki/controllerca/ca.cnf<br></div><div><div>openvswitch-2.3.0/tests/pki/switchca/ca.cnf</div></div><div><br></div><div>files where default_md is assigned all revert after:</div><div>(cd ~/rpmbuild/BUILD/openvswitch-2.3.0 && make clean && rpmbuild -bb rhel/openvswitch.spec)<br></div><div><br></div><div>ne1 know what the correct file to change to have it propagate?</div><div>revert as well *<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 18, 2014 at 10:09 PM, Ben Pfaff <span dir="ltr"><<a href="mailto:blp@nicira.com" target="_blank">blp@nicira.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This fixes numerous testsuite failures of the form "SSL_connect:<br>
error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message<br>
digest algorithm" on systems that disable MD5 in OpenSSL. Centos 7 is one<br>
example. Presumably it increase security as well for anyone who generates<br>
certificates based on a new configuration created by the new ovs-pki.<br>
<br>
Reported-by: Robert Strickler <<a href="mailto:anomalyst@gmail.com">anomalyst@gmail.com</a>><br>
Signed-off-by: Ben Pfaff <<a href="mailto:blp@nicira.com">blp@nicira.com</a>><br>
---<br>
AUTHORS | 1 +<br>
NEWS | 3 +++<br>
utilities/<a href="http://ovs-pki.in" target="_blank">ovs-pki.in</a> | 4 ++--<br>
3 files changed, 6 insertions(+), 2 deletions(-)<br>
<br>
diff --git a/AUTHORS b/AUTHORS<br>
index e3fe7ba..47bbd82 100644<br>
--- a/AUTHORS<br>
+++ b/AUTHORS<br>
@@ -268,6 +268,7 @@ Ralf Heiringhoff <a href="mailto:ralf@frosty-geek.net">ralf@frosty-geek.net</a><br>
Ram Jothikumar <a href="mailto:rjothikumar@nicira.com">rjothikumar@nicira.com</a><br>
Ramana Reddy <a href="mailto:gtvrreddy@gmail.com">gtvrreddy@gmail.com</a><br>
Rob Sherwood <a href="mailto:rob.sherwood@bigswitch.com">rob.sherwood@bigswitch.com</a><br>
+Robert Strickler <a href="mailto:anomalyst@gmail.com">anomalyst@gmail.com</a><br>
Roger Leigh <a href="mailto:rleigh@codelibre.net">rleigh@codelibre.net</a><br>
Rogério Vinhal Nunes<br>
Roman Sokolkov <a href="mailto:rsokolkov@gmail.com">rsokolkov@gmail.com</a><br>
diff --git a/NEWS b/NEWS<br>
index 6cbb315..f9ea90f 100644<br>
--- a/NEWS<br>
+++ b/NEWS<br>
@@ -20,6 +20,9 @@ Post-v2.3.0<br>
* "resubmit" actions may now be included in action sets. The resubmit<br>
is executed last, and only if the action set has no "output" or "group"<br>
action.<br>
+ - ovs-pki: Changed message digest algorithm from MD5 to SHA-512 because<br>
+ MD5 is no longer secure and some operating systems have started to disable<br>
+ it in OpenSSL.<br>
- ovsdb-server: New OVSDB protocol extension allows inequality tests on<br>
"optional scalar" columns. See ovsdb-server(1) for details.<br>
- test-controller has been renamed ovs-testcontroller at request of users<br>
diff --git a/utilities/<a href="http://ovs-pki.in" target="_blank">ovs-pki.in</a> b/utilities/<a href="http://ovs-pki.in" target="_blank">ovs-pki.in</a><br>
index 6081a5e..8745355 100755<br>
--- a/utilities/<a href="http://ovs-pki.in" target="_blank">ovs-pki.in</a><br>
+++ b/utilities/<a href="http://ovs-pki.in" target="_blank">ovs-pki.in</a><br>
@@ -1,6 +1,6 @@<br>
#! /bin/sh<br>
<br>
-# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013 Nicira, Inc.<br>
+# Copyright (c) 2008, 2009, 2010, 2011, 2012, 2013, 2014 Nicira, Inc.<br>
#<br>
# Licensed under the Apache License, Version 2.0 (the "License");<br>
# you may not use this file except in compliance with the License.<br>
@@ -274,7 +274,7 @@ private_key = $dir/private/cakey.pem# CA private key<br>
RANDFILE = $dir/private/.rand # random number file<br>
default_days = 3650 # how long to certify for<br>
default_crl_days= 30 # how long before next CRL<br>
-default_md = md5 # md to use<br>
+default_md = sha512 # md to use<br>
policy = policy # default policy<br>
email_in_dn = no # Don't add the email into cert DN<br>
name_opt = ca_default # Subject name display option<br>
<span class="HOEnZb"><font color="#888888">--<br>
1.9.1<br>
<br>
</font></span></blockquote></div><br></div>