[Openstack-security] [Bug 1516703] Re: crypto.py generates certs with SHA-1 digest
Sean Dague
sean at dague.net
Sat Feb 20 15:36:38 UTC 2016
** Changed in: nova
Importance: Undecided => Medium
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1516703
Title:
crypto.py generates certs with SHA-1 digest
Status in OpenStack Compute (nova):
In Progress
Bug description:
nova/crypto.py:generate_winrm_x509_cert() generates certs with default
SHA-1 digest.
The call to 'openssl req' does not specify -digest option nor
certificate config file sets digest, so certificates are generated
with SHA-1 digest. SHA-1 is not considered to be a secure algorithm
for certificates' digest.
It would be preferable to:
1) let user specify digest algorithm via a config option
2) default to SHA-256
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1516703/+subscriptions
More information about the Openstack-security
mailing list