Re: [ovs-dev] Bug#828478: [PATCH] ovs-pki: Use SHA-512 message digest when available.

Fri, 01 Jul 2016 18:02:34 -0700 

On Sun, Jun 26, 2016 at 08:55:04PM +0200, Kurt Roeckx wrote:
> On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote:
> > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
> > OVS unit tests, which use SHA-1.  We last tried to switch to SHA-512 in
> > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
> > message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
> > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
> > XenServer did not support SHA-512.
> > 
> > This commit detects support for SHA-512 and uses it if available, so it
> > should avoid the problem encountered previously.
> 
> Note that openssl has supported SHA-512 for a while.  It's been
> supported since 0.9.8 which was released in 2005.  So that support
> detection doesn't look like a good idea.
> 
> You indicated that XenServer didn't support it.  Did that change?

I don't know.

I guess we could always just try again and see if XenServer folks
complain again.

Honestly I'd prefer to have a fixed choice.

> From what I understand of the log it's that the certificate still
> using a weak digest.  I guess we started to rejected SHA-1 by
> default now, which is actually a good thing.  The browsers should
> stop supporting it soon too.
> 
> I suggest you just switch to SHA-256 or SHA-512 by default.
> 
> > diff --git a/AUTHORS b/AUTHORS
> > index 704ba40..a893330 100644
> > --- a/AUTHORS
> > +++ b/AUTHORS
> > @@ -367,6 +367,7 @@ Konstantin Khorenko     khore...@openvz.org
> >  Kris zhang              zhang.k...@gmail.com
> >  Krishna Miriyala        kris...@nicira.com
> >  Krishna Mohan Elluru    elluru.kri.mo...@hpe.com
> > +Kurt Roeckx             k...@roeckx.be
> 
> There really is no reason to add me, it's not like I contributed
> anything, someone else tried to build it and I just filed bugs
> based on that.

OK.  I habitually add people who report bugs, since bug reporting is a
kind of public service.  I'll drop it for v2.

Thanks,

Ben.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev

Reply via email to