Use Stronger digest than sha1 for signing certs

With OpenSSL 3.0[1] sha1 can't be used with default security level, let's use stronger digest that's supported i.e sha256. [1] https://github.com/openssl/openssl/commit/aba03ae Change-Id: I18fc7f85d1649a47000fa1a3289ab449e94be608 (cherry picked from commit 3b1d359416)
2021-05-21 17:58:54 +05:30 · 2021-05-21 17:58:54 +05:30 · 47f637f1d4
parent e14be19d37
commit 47f637f1d4
2 changed files with 2 additions and 2 deletions
--- a/packstack/modules/ospluginutils.py
+++ b/packstack/modules/ospluginutils.py
@ -141,7 +141,7 @@ def generate_ssl_cert(config, host, service, ssl_key_file, ssl_cert_file):
        cert.set_pubkey(k)
        serial = int(time())
        cert.set_serial_number(serial)
-        cert.sign(ca_key, 'sha1')
+        cert.sign(ca_key, 'sha256')

        final_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
        final_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
--- a/packstack/plugins/ssl_001.py
+++ b/packstack/plugins/ssl_001.py
@ -278,7 +278,7 @@ def create_self_signed_cert(config, messages):
                "keyid:always".encode('ascii'), issuer=cert)
        ])

-        cert.sign(k, 'sha1')
+        cert.sign(k, 'sha256')

        open((CERT_FILE), "w").write(
            crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode())