From: Sebastian Kemper Date: Wed, 13 Nov 2019 19:29:50 +0000 (+0100) Subject: [gentls_cert] Update message digest X-Git-Tag: v1.10.6^2^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70d1cbafe4ab0176cd9fc01f740e34cd1bae326b;p=thirdparty%2Ffreeswitch.git [gentls_cert] Update message digest Debian Buster updated /etc/ssl/openssl.cnf to default to MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 gentls_cert currently uses SHA1 as message digest. According to OpenSSL documentation this only offers 80 bit of security. 80 bits is enough for security level 1, but not 2. The OpenSSL default MD nowadays is SHA256. This commit updates gentls_cert to use it. Issue was reported on the FS mailing list. The certificates created by gentls_cert caused "md too weak" errors and clients were unable to connect. Signed-off-by: Sebastian Kemper --- diff --git a/scripts/gentls_cert.in b/scripts/gentls_cert.in index 43aa8ac605..dd56c9f6dc 100644 --- a/scripts/gentls_cert.in +++ b/scripts/gentls_cert.in @@ -89,7 +89,7 @@ setup_ca() { openssl req -out "${CONFDIR}/CA/cacert.pem" \ -new -x509 -keyout "${CONFDIR}/CA/cakey.pem" \ - -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha1 >/dev/null || exit 1 + -config "${TMPFILE}.cfg" -nodes -days ${DAYS} -sha256 >/dev/null || exit 1 cat "${CONFDIR}/CA/cacert.pem" > "${CONFDIR}/cafile.pem" cp $TMPFILE.cfg /tmp/ssl.cfg rm "${TMPFILE}.cfg" @@ -131,11 +131,11 @@ generate_cert() { openssl req -new -out "${TMPFILE}.req" \ -newkey rsa:${KEY_SIZE} -keyout "${TMPFILE}.key" \ - -config "${TMPFILE}.cfg" -nodes -sha1 >/dev/null || exit 1 + -config "${TMPFILE}.cfg" -nodes -sha256 >/dev/null || exit 1 openssl x509 -req -CAkey "${CONFDIR}/CA/cakey.pem" -CA "${CONFDIR}/CA/cacert.pem" -CAcreateserial \ -in "${TMPFILE}.req" -out "${TMPFILE}.crt" -extfile "${TMPFILE}.cfg" \ - -extensions "${EXTENSIONS}" -days ${DAYS} -sha1 >/dev/null || exit 1 + -extensions "${EXTENSIONS}" -days ${DAYS} -sha256 >/dev/null || exit 1 cat "${TMPFILE}.crt" "${TMPFILE}.key" > "${CONFDIR}/${OUTFILE}"