The Samba-Bugzilla – Attachment 13481 Details for
Bug 12953
Samba's autogenerated SSL cert uses SHA1
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch cherry-picked from master for 4.7
0001-s4-lib-tls-Use-SHA256-to-sign-the-TLS-certificates.patch (text/plain), 1.78 KB, created by
Andrew Bartlett
on 2017-08-18 03:12:08 UTC
(
hide
)
Description:
patch cherry-picked from master for 4.7
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2017-08-18 03:12:08 UTC
Size:
1.78 KB
patch
obsolete
>From 7561970b37e8a151b238881529294229ccc488f8 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 9 Aug 2017 16:44:24 +1200 >Subject: [PATCH] s4/lib/tls: Use SHA256 to sign the TLS certificates > >The use of SHA-1 has been on the "do not" list for a while now, so make our >self-signed certificates use SHA256 using the new >gnutls_x509_crt_sign2 provided since GNUTLS 1.2.0 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Garming Sam <garming@catalyst.net.nz> > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12953 >(cherry picked from commit 5bb341fb9ceb943b4a72108edee9046b60f070b0) >--- > source4/lib/tls/tlscert.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > >diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c >index f1808d7cfd9..db4f2946ad4 100644 >--- a/source4/lib/tls/tlscert.c >+++ b/source4/lib/tls/tlscert.c >@@ -106,7 +106,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, > #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID > TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize)); > #endif >- TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey)); >+ TLSCHECK(gnutls_x509_crt_sign2(cacrt, cacrt, cakey, >+ GNUTLS_DIG_SHA256, 0)); > > DEBUG(3,("Generating TLS certificate\n")); > TLSCHECK(gnutls_x509_crt_init(&crt)); >@@ -132,8 +133,10 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, > #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID > TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize)); > #endif >- TLSCHECK(gnutls_x509_crt_sign(crt, crt, key)); >- TLSCHECK(gnutls_x509_crt_sign(crt, cacrt, cakey)); >+ TLSCHECK(gnutls_x509_crt_sign2(crt, crt, key, >+ GNUTLS_DIG_SHA256, 0)); >+ TLSCHECK(gnutls_x509_crt_sign2(crt, cacrt, cakey, >+ GNUTLS_DIG_SHA256, 0)); > > DEBUG(3,("Exporting TLS keys\n")); > >-- >2.11.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=13481">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
garming
:
review+
Actions:
View
Attachments on
bug 12953
:
13454
| 13481