On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote:
> The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
> OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in
> 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
> message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
> ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
> XenServer did not support SHA-512.
>
> This commit detects support for SHA-512 and uses it if available, so it
> should avoid the problem encountered previously.
Note that openssl has supported SHA-512 for a while. It's been
supported since 0.9.8 which was released in 2005. So that support
detection doesn't look like a good idea.
You indicated that XenServer didn't support it. Did that change?
From what I understand of the log it's that the certificate still
using a weak digest. I guess we started to rejected SHA-1 by
default now, which is actually a good thing. The browsers should
stop supporting it soon too.
I suggest you just switch to SHA-256 or SHA-512 by default.
> diff --git a/AUTHORS b/AUTHORS
> index 704ba40..a893330 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -367,6 +367,7 @@ Konstantin Khorenko [email protected]
> Kris zhang [email protected]
> Krishna Miriyala [email protected]
> Krishna Mohan Elluru [email protected]
> +Kurt Roeckx [email protected]
There really is no reason to add me, it's not like I contributed
anything, someone else tried to build it and I just filed bugs
based on that.
Kurt
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
