On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote:
With the recent update of Fedora rawhide I've noticed
virnettlssessiontest and virnettlscontexttest failing with:
Our own certificate servercertreq-ctx.pem failed validation
against cacertreq-ctx.pem: The certificate uses an insecure
algorithm
This is result of Fedora changes to support strong crypto [1]. RSA
with 1024 bit key is viewed as legacy and thus insecure. Generate
a new private key then. Moreover, switch to EC which is not only
shorter but also not deprecated that often as RSA. Generated
using the following command:
openssl genpkey --outform PEM --out privkey.pem \
--algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
--pkeyopt ec_param_enc:named_curve
1:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
According to our CI all systems support ecliptic curves:
https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641
but maybe this should be merged only after the release?
It'd be nicer to merge for release actually, because otherwise we're
going to hit the failing test when we pull the new release into
Fedora rawhide.
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|