> I should also add that the other obvious/easy "fix" is to initialise digest
> in openssl/req.c to the SHA-256 EVP. That only changes 'openssl req'
> though.
>
> > (and yes, clearly I've spent too much time in this code base recently...
> > :)
> >
> > > Index: openssl.cnf
> > > ===================================================================
> > > RCS file: /cvs/src/lib/libcrypto/openssl.cnf,v
> > > retrieving revision 1.1
> > > diff -u -p -r1.1 openssl.cnf
> > > --- openssl.cnf 11 Apr 2014 22:51:53 -0000 1.1
> > > +++ openssl.cnf 30 Sep 2014 22:42:53 -0000
> > > @@ -7,7 +7,8 @@
> > >
> > > ####################################################################
> > > [ req ]
> > > -default_bits = 1024
> > > +default_bits = 2048
> > > +default_md = sha256
> > > default_keyfile = privkey.pem
> > > distinguished_name = req_distinguished_name
> > > attributes = req_attributes
The following does this, however note that the default_bits of 1024 from
openssl.cnf trumps the 2048 in the define... we probably should also stop
making EVP_des_ede3_cbc() the default cipher...
Index: req.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/req.c,v
retrieving revision 1.2
diff -u -p -r1.2 req.c
--- req.c 28 Aug 2014 14:23:52 -0000 1.2
+++ req.c 1 Oct 2014 08:59:54 -0000
@@ -97,7 +97,7 @@
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
-#define DEFAULT_KEY_LENGTH 512
+#define DEFAULT_KEY_LENGTH 2048
#define MIN_KEY_LENGTH 384
@@ -187,6 +187,7 @@ req_main(int argc, char **argv)
#ifndef OPENSSL_NO_DES
cipher = EVP_des_ede3_cbc();
#endif
+ digest = EVP_sha256();
infile = NULL;
outfile = NULL;
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
