[PATCH] virnettlshelpers: Update private key
Michal Privoznik
mprivozn at redhat.com
Wed Jul 1 11:35:06 UTC 2020
On 7/1/20 1:13 PM, Daniel P. Berrangé wrote:
> On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote:
>> With the recent update of Fedora rawhide I've noticed
>> virnettlssessiontest and virnettlscontexttest failing with:
>>
>> Our own certificate servercertreq-ctx.pem failed validation
>> against cacertreq-ctx.pem: The certificate uses an insecure
>> algorithm
>>
>> This is result of Fedora changes to support strong crypto [1]. RSA
>> with 1024 bit key is viewed as legacy and thus insecure. Generate
>> a new private key then. Moreover, switch to EC which is not only
>> shorter but also not deprecated that often as RSA. Generated
>> using the following command:
>>
>> openssl genpkey --outform PEM --out privkey.pem \
>> --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
>> --pkeyopt ec_param_enc:named_curve
>>
>> 1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>>
>> According to our CI all systems support ecliptic curves:
>>
>> https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641
>>
>> but maybe this should be merged only after the release?
>
> It'd be nicer to merge for release actually, because otherwise we're
> going to hit the failing test when we pull the new release into
> Fedora rawhide.
>
> Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>
Alright, I've merged it.
Michal
More information about the libvir-list
mailing list