From 35bc600da17c7342345fa9c4d0b8078a8388fad1 Mon Sep 17 00:00:00 2001
From: Michael Johnson <johnsomor@gmail.com>
Date: Mon, 28 Feb 2022 18:42:34 +0000
Subject: [PATCH] Fix tls-proxy on newer versions of openssl

Newer versions of openssl (CentOS9Stream for example) do not like using sha1.
Devstack will fail on these systems[1] with the following error:
801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
This patch updates the tls-proxy code in devstack to use sha256 instead of sha1 which allows devstack to complete when tls-proxy is enabled.

[1] https://zuul.opendev.org/t/openstack/build/1d90b22a39c74e24a8390861b3c5f957/log/job-output.txt#5535

Closes-Bug: #1962600

Change-Id: I71e1371affe32f070167037b0109a489d196bd31
---
 lib/tls | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/tls b/lib/tls
index b3cc0b4159..5a7f5ae324 100644
--- a/lib/tls
+++ b/lib/tls
@@ -169,7 +169,7 @@ default_md              = default
 
 [ req ]
 default_bits            = 1024
-default_md              = sha1
+default_md              = sha256
 
 prompt                  = no
 distinguished_name      = req_distinguished_name
@@ -261,7 +261,7 @@ function make_cert {
     if [ ! -r "$ca_dir/$cert_name.crt" ]; then
         # Generate a signing request
         $OPENSSL req \
-            -sha1 \
+            -sha256 \
             -newkey rsa \
             -nodes \
             -keyout $ca_dir/private/$cert_name.key \
@@ -301,7 +301,7 @@ function make_int_CA {
     if [ ! -r "$ca_dir/cacert.pem" ]; then
         # Create a signing certificate request
         $OPENSSL req -config $ca_dir/ca.conf \
-            -sha1 \
+            -sha256 \
             -newkey rsa \
             -nodes \
             -keyout $ca_dir/private/cacert.key \