On 7/1/20 1:13 PM, Daniel P. Berrangé wrote:
On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote:
> With the recent update of Fedora rawhide I've noticed
> virnettlssessiontest and virnettlscontexttest failing with:
>
> Our own certificate servercertreq-ctx.pem failed validation
> against cacertreq-ctx.pem: The certificate uses an insecure
> algorithm
>
> This is result of Fedora changes to support strong crypto [1]. RSA
> with 1024 bit key is viewed as legacy and thus insecure. Generate
> a new private key then. Moreover, switch to EC which is not only
> shorter but also not deprecated that often as RSA. Generated
> using the following command:
>
> openssl genpkey --outform PEM --out privkey.pem \
> --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
> --pkeyopt ec_param_enc:named_curve
>
> 1:
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
>
> Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
> ---
>
> According to our CI all systems support ecliptic curves:
>
>
https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641
>
> but maybe this should be merged only after the release?
It'd be nicer to merge for release actually, because otherwise we're
going to hit the failing test when we pull the new release into
Fedora rawhide.
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>