On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote:
> The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
> OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in
> 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
> message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
> ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
> XenServer did not support SHA-512.
>
> This commit detects support for SHA-512 and uses it if available, so it
> should avoid the problem encountered previously.
Note that openssl has supported SHA-512 for a while. It's been
supported since 0.9.8 which was released in 2005. So that support
detection doesn't look like a good idea.
You indicated that XenServer didn't support it. Did that change?
From what I understand of the log it's that the certificate still
using a weak digest. I guess we started to rejected SHA-1 by
default now, which is actually a good thing. The browsers should
stop supporting it soon too.
I suggest you just switch to SHA-256 or SHA-512 by default.
> diff --git a/AUTHORS b/AUTHORS
> index 704ba40..a893330 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -367,6 +367,7 @@ Konstantin Khorenko khore...@openvz.org
> Kris zhang zhang.k...@gmail.com
> Krishna Miriyala kris...@nicira.com
> Krishna Mohan Elluru elluru.kri.mo...@hpe.com
> +Kurt Roeckx k...@roeckx.be
There really is no reason to add me, it's not like I contributed
anything, someone else tried to build it and I just filed bugs
based on that.
Kurt
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
