[Openstack-security] [Bug 1516703] Re: crypto.py generates certs with SHA-1 digest

Sean Dague sean at dague.net
Thu Jun 8 12:20:55 UTC 2017


** Tags added: windows

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1516703

Title:
  crypto.py generates certs with SHA-1 digest

Status in OpenStack Compute (nova):
  New

Bug description:
  nova/crypto.py:generate_winrm_x509_cert() generates certs with default
  SHA-1 digest.

  The call to 'openssl req' does not specify -digest option nor
  certificate config file sets digest, so certificates are generated
  with SHA-1 digest. SHA-1 is not considered to be a secure algorithm
  for certificates' digest.

  It would be preferable to:
  1) let user specify digest algorithm via a config option
  2) default to SHA-256

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1516703/+subscriptions




More information about the Openstack-security mailing list