openstack/devstack
Code Issues Proposed changes

Fix tls-proxy on newer versions of openssl

Browse Source 
Newer versions of openssl (CentOS9Stream for example) do not like using sha1.
Devstack will fail on these systems[1] with the following error:
801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
This patch updates the tls-proxy code in devstack to use sha256 instead of sha1 which allows devstack to complete when tls-proxy is enabled.

[1] https://zuul.opendev.org/t/openstack/build/1d90b22a39c74e24a8390861b3c5f957/log/job-output.txt#5535

Closes-Bug: #1962600

Change-Id: I71e1371affe32f070167037b0109a489d196bd31
This commit is contained in:
Michael Johnson 2022-02-28 18:42:34 +00:00 committed by Erik Olof Gunnar Andersson
parent a435078fcb
commit 35bc600da1
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/tls
View File

@ -169,7 +169,7 @@ default_md = default
[ req ] [ req ]
default_bits = 1024 default_bits = 1024
default_md = sha1 default_md = sha256
prompt = no prompt = no
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
@ -261,7 +261,7 @@ function make_cert {
if [ ! -r "$ca_dir/$cert_name.crt" ]; then if [ ! -r "$ca_dir/$cert_name.crt" ]; then
# Generate a signing request # Generate a signing request
$OPENSSL req \ $OPENSSL req \
-sha1 \ -sha256 \
-newkey rsa \ -newkey rsa \
-nodes \ -nodes \
-keyout $ca_dir/private/$cert_name.key \ -keyout $ca_dir/private/$cert_name.key \
@ -301,7 +301,7 @@ function make_int_CA {
if [ ! -r "$ca_dir/cacert.pem" ]; then if [ ! -r "$ca_dir/cacert.pem" ]; then
# Create a signing certificate request # Create a signing certificate request
$OPENSSL req -config $ca_dir/ca.conf \ $OPENSSL req -config $ca_dir/ca.conf \
-sha1 \ -sha256 \
-newkey rsa \ -newkey rsa \
-nodes \ -nodes \
-keyout $ca_dir/private/cacert.key \ -keyout $ca_dir/private/cacert.key \