diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2014-10-01 13:15:41 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2014-10-01 13:15:41 +0000 |
| commit | 80f99585f437a101cdca78c1ff66850d677dd90a (patch) | |
| tree | 7b937b523123016185c3cb119c238353514f1034 /usr.bin/openssl | |
| parent | 61f5630a0df7e8740a490f58a1568a4565907b74 (diff) | |
Switch "openssl req" to using SHA256 for hashes and AES256 to encrypt on-disk
keys by default (instead of SHA1/3DES) and update documentation to match.
Another way to do this is s/NID_sha1/NID_sha256/ in src/crypto/rsa/rsa_ameth.c
("case ASN1_PKEY_CTRL_DEFAULT_MD_NID") but going with the more targetted method
above that only affects "openssl req" for now.
Help/OK jsing@. OKs on earlier diffs changing openssl.cnf from phessler@ aja@
Diffstat (limited to 'usr.bin/openssl')
| -rw-r--r-- | usr.bin/openssl/openssl.1 | 15 | ||||
| -rw-r--r-- | usr.bin/openssl/req.c | 9 |
2 files changed, 12 insertions, 12 deletions
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 7387a2d8edb..23f5fff8850 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.3 2014/09/16 16:05:44 jmc Exp $ +.\" $OpenBSD: openssl.1,v 1.4 2014/10/01 13:15:40 sthen Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -112,7 +112,7 @@ .\" .\" OPENSSL .\" -.Dd $Mdocdate: September 16 2014 $ +.Dd $Mdocdate: October 1 2014 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -5583,7 +5583,7 @@ This gives the to write the newly created private key to. If this option is not specified, the filename present in the configuration file is used. -.It Fl md4 | md5 | sha1 +.It Fl md5 | sha1 | sha256 This specifies the message digest to sign the request with. This overrides the digest algorithm specified in the configuration file. .Pp @@ -5774,7 +5774,7 @@ They are currently ignored by request signing utilities, but some CAs might want them. .It Ar default_bits This specifies the default key size in bits. -If not specified, 512 is used. +If not specified, 2048 is used. It is used if the .Fl new option is used. @@ -5790,10 +5790,11 @@ option. .It Ar default_md This option specifies the digest algorithm to use. Possible values include -.Ar md5 +.Ar md5 , +.Ar sha1 and -.Ar sha1 . -If not present, MD5 is used. +.Ar sha256 . +If not present, SHA256 is used. This option can be overridden on the command line. .It Ar distinguished_name This specifies the section containing the distinguished name fields to diff --git a/usr.bin/openssl/req.c b/usr.bin/openssl/req.c index 98f3e1d84cd..99f10ecde0b 100644 --- a/usr.bin/openssl/req.c +++ b/usr.bin/openssl/req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: req.c,v 1.2 2014/08/28 14:23:52 jsing Exp $ */ +/* $OpenBSD: req.c,v 1.3 2014/10/01 13:15:40 sthen Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -97,7 +97,7 @@ #define STRING_MASK "string_mask" #define UTF8_IN "utf8" -#define DEFAULT_KEY_LENGTH 512 +#define DEFAULT_KEY_LENGTH 2048 #define MIN_KEY_LENGTH 384 @@ -184,9 +184,8 @@ req_main(int argc, char **argv) unsigned long chtype = MBSTRING_ASC; req_conf = NULL; -#ifndef OPENSSL_NO_DES - cipher = EVP_des_ede3_cbc(); -#endif + cipher = EVP_aes_256_cbc(); + digest = EVP_sha256(); infile = NULL; outfile = NULL; |