On Sun, Jun 26, 2016 at 08:55:04PM +0200, Kurt Roeckx wrote:
> On Sun, Jun 26, 2016 at 11:05:35AM -0700, Ben Pfaff wrote:
> > The upcoming OpenSSL 1.1.0 release disables use of SHA-1, which breaks the
> > OVS unit tests, which use SHA-1. We last tried to switch to SHA-512 in
> > 2014 with commit 9ff33ca75e9fcc ("ovs-pki: Use SHA-512 instead of MD5 as
> > message digest."), but we had to downgrade to SHA-1 in commit 4a1f9610682d
> > ("ovs-pki: Use SHA-1 instead of SHA-512 as message digest.") because
> > XenServer did not support SHA-512.
> >
> > This commit detects support for SHA-512 and uses it if available, so it
> > should avoid the problem encountered previously.
>
> Note that openssl has supported SHA-512 for a while. It's been
> supported since 0.9.8 which was released in 2005. So that support
> detection doesn't look like a good idea.
>
> You indicated that XenServer didn't support it. Did that change?
I don't know.
I guess we could always just try again and see if XenServer folks
complain again.
Honestly I'd prefer to have a fixed choice.
> From what I understand of the log it's that the certificate still
> using a weak digest. I guess we started to rejected SHA-1 by
> default now, which is actually a good thing. The browsers should
> stop supporting it soon too.
>
> I suggest you just switch to SHA-256 or SHA-512 by default.
>
> > diff --git a/AUTHORS b/AUTHORS
> > index 704ba40..a893330 100644
> > --- a/AUTHORS
> > +++ b/AUTHORS
> > @@ -367,6 +367,7 @@ Konstantin Khorenko [email protected]
> > Kris zhang [email protected]
> > Krishna Miriyala [email protected]
> > Krishna Mohan Elluru [email protected]
> > +Kurt Roeckx [email protected]
>
> There really is no reason to add me, it's not like I contributed
> anything, someone else tried to build it and I just filed bugs
> based on that.
OK. I habitually add people who report bugs, since bug reporting is a
kind of public service. I'll drop it for v2.
Thanks,
Ben.
_______________________________________________
dev mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/dev
