Date: Sat, 14 May 2022 21:14:12 +1000 From: Stephen Hocking <stephen.hocking@gmail.com> To: hackers@freebsd.org Subject: EasyRSA's pkitool has the use of sha1 to sign certs hardcoded all over the place. Message-ID: <CA%2BxzKjC-ezcx9Fv%2Bf1CLh=hJJQDc1R3KMLEnZ_1X4Q-_SfEi0Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--000000000000c60e7005def6e46f Content-Type: text/plain; charset="UTF-8" Hi all, After coming across the recent issue that OpenVPN clients using new versions of openssl wouldn't accept ca certs I'd generated a while ago, complaining that the signature was signed with a suitably strong hash I went hunting. Turns out the openssl.cnf entry of what the message digest is supposed to be is over-ridden by the explicit invocation of -sha1 on the command line for a few of the commands. -- "I and the public know what all schoolchildren learn Those to whom evil is done Do evil in return" W.H. Auden, "September 1, 1939" --000000000000c60e7005def6e46f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><br style=3D"font-family:Roboto,"Helvetica Neue"= ,Helvetica,Arial,sans-serif"><div dir=3D"ltr" style=3D"font-family:Roboto,&= quot;Helvetica Neue",Helvetica,Arial,sans-serif">Hi all,<div><br></div= ><div>After coming across the recent issue that OpenVPN clients using new v= ersions of openssl wouldn't accept ca certs I'd generated a while a= go, complaining that the signature was signed with a suitably strong hash I= went hunting. Turns out the openssl.cnf entry of what the message digest i= s supposed to be=C2=A0is over-ridden=C2=A0by the explicit=C2=A0 invocation = of -sha1 on the command line for a few of the commands.</div></div><div><br= ></div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"= gmail_signature"><div dir=3D"ltr"><pre> "I and the public know what all schoolchildren learn Those to whom evil is done Do evil in return" W.H. Auden, "September 1, 1939" </pre></div></div></div> --000000000000c60e7005def6e46f--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BxzKjC-ezcx9Fv%2Bf1CLh=hJJQDc1R3KMLEnZ_1X4Q-_SfEi0Q>