tests/virnettlshelpers.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-)
With the recent update of Fedora rawhide I've noticed
virnettlssessiontest and virnettlscontexttest failing with:
Our own certificate servercertreq-ctx.pem failed validation
against cacertreq-ctx.pem: The certificate uses an insecure
algorithm
This is result of Fedora changes to support strong crypto [1]. RSA
with 1024 bit key is viewed as legacy and thus insecure. Generate
a new private key then. Moreover, switch to EC which is not only
shorter but also not deprecated that often as RSA. Generated
using the following command:
openssl genpkey --outform PEM --out privkey.pem \
--algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
--pkeyopt ec_param_enc:named_curve
1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
According to our CI all systems support ecliptic curves:
https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641
but maybe this should be merged only after the release?
tests/virnettlshelpers.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
diff --git a/tests/virnettlshelpers.c b/tests/virnettlshelpers.c
index e2b8e8359a..979afed307 100644
--- a/tests/virnettlshelpers.c
+++ b/tests/virnettlshelpers.c
@@ -47,22 +47,10 @@ extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
gnutls_x509_privkey_t privkey;
# define PRIVATE_KEY \
"-----BEGIN PRIVATE KEY-----\n" \
- "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \
- "BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE\n" \
- "Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9\n" \
- "rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc\n" \
- "kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL\n" \
- "IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H\n" \
- "myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn\n" \
- "2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO\n" \
- "m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J\n" \
- "bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK\n" \
- "mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA\n" \
- "Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa\n" \
- "L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd\n" \
- "a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W\n" \
- "nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp\n" \
- "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \
+ "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD39t6GRLeEmsYjRGR6\n" \
+ "iQiIN2S4zXsgLGS/2GloXdG7K+i/3vEJDt9celZ0DfCLcG6hZANiAAQTJIe13jy7\n" \
+ "k4KTXMkHQHEJa/asH263JaPL5kTbfRa6tMq3DS3pzWlOj+NHY/9JzthrKD+Ece+g\n" \
+ "2g/POHa0gfXRYXGiHTs8mY0AHFqNNmF38eIVGjOqobIi90MkyI3wx4g=\n" \
"-----END PRIVATE KEY-----\n"
/*
--
2.26.2
On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote: > With the recent update of Fedora rawhide I've noticed > virnettlssessiontest and virnettlscontexttest failing with: > > Our own certificate servercertreq-ctx.pem failed validation > against cacertreq-ctx.pem: The certificate uses an insecure > algorithm > > This is result of Fedora changes to support strong crypto [1]. RSA > with 1024 bit key is viewed as legacy and thus insecure. Generate > a new private key then. Moreover, switch to EC which is not only > shorter but also not deprecated that often as RSA. Generated > using the following command: > > openssl genpkey --outform PEM --out privkey.pem \ > --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \ > --pkeyopt ec_param_enc:named_curve > > 1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > Signed-off-by: Michal Privoznik <mprivozn@redhat.com> > --- > > According to our CI all systems support ecliptic curves: > > https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641 > > but maybe this should be merged only after the release? It'd be nicer to merge for release actually, because otherwise we're going to hit the failing test when we pull the new release into Fedora rawhide. Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 7/1/20 1:13 PM, Daniel P. Berrangé wrote: > On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote: >> With the recent update of Fedora rawhide I've noticed >> virnettlssessiontest and virnettlscontexttest failing with: >> >> Our own certificate servercertreq-ctx.pem failed validation >> against cacertreq-ctx.pem: The certificate uses an insecure >> algorithm >> >> This is result of Fedora changes to support strong crypto [1]. RSA >> with 1024 bit key is viewed as legacy and thus insecure. Generate >> a new private key then. Moreover, switch to EC which is not only >> shorter but also not deprecated that often as RSA. Generated >> using the following command: >> >> openssl genpkey --outform PEM --out privkey.pem \ >> --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \ >> --pkeyopt ec_param_enc:named_curve >> >> 1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 >> >> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> >> --- >> >> According to our CI all systems support ecliptic curves: >> >> https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641 >> >> but maybe this should be merged only after the release? > > It'd be nicer to merge for release actually, because otherwise we're > going to hit the failing test when we pull the new release into > Fedora rawhide. > > Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Alright, I've merged it. Michal
© 2016 - 2024 Red Hat, Inc.