Date: Sat, 14 May 2022 21:14:12 +1000 From: Stephen Hocking <stephen.hocking@gmail.com> To: hackers@freebsd.org Subject: EasyRSA's pkitool has the use of sha1 to sign certs hardcoded all over the place. Message-ID: <CA%2BxzKjC-ezcx9Fv%2Bf1CLh=hJJQDc1R3KMLEnZ_1X4Q-_SfEi0Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi all, After coming across the recent issue that OpenVPN clients using new versions of openssl wouldn't accept ca certs I'd generated a while ago, complaining that the signature was signed with a suitably strong hash I went hunting. Turns out the openssl.cnf entry of what the message digest is supposed to be is over-ridden by the explicit invocation of -sha1 on the command line for a few of the commands. -- "I and the public know what all schoolchildren learn Those to whom evil is done Do evil in return" W.H. Auden, "September 1, 1939" [-- Attachment #2 --] <div dir="ltr"><br style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif"><div dir="ltr" style="font-family:Roboto,"Helvetica Neue",Helvetica,Arial,sans-serif">Hi all,<div><br></div><div>After coming across the recent issue that OpenVPN clients using new versions of openssl wouldn't accept ca certs I'd generated a while ago, complaining that the signature was signed with a suitably strong hash I went hunting. Turns out the openssl.cnf entry of what the message digest is supposed to be is over-ridden by the explicit invocation of -sha1 on the command line for a few of the commands.</div></div><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><pre> "I and the public know what all schoolchildren learn Those to whom evil is done Do evil in return" W.H. Auden, "September 1, 1939" </pre></div></div></div>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BxzKjC-ezcx9Fv%2Bf1CLh=hJJQDc1R3KMLEnZ_1X4Q-_SfEi0Q>