switch from using sha1 to sha256

As the ca section of the cnf file requires a default_md line
(unlike req) this change also requires updating the installed ikeca.cnf
or equivalent files.

Requested by and ok reyk@ who also tested this against ios9 with iked.

2 files changed, 5 insertions, 4 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 53d60312c38..401771560e9 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.39 2015/11/02 12:01:28 jsg Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.40 2015/11/02 12:21:27 jsg Exp $	*/
 
 /*
  * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -421,6 +421,7 @@ ca_create(struct ca *ca)
 
 	snprintf(cmd, sizeof(cmd), "%s x509 -req -days 365"
 	    " -in %s/private/ca.csr -signkey %s/private/ca.key"
+	    " -sha256"
 	    " -extfile %s -extensions x509v3_CA -out %s/ca.crt -passin file:%s",
 	    PATH_OPENSSL, ca->sslpath, ca->sslpath, ca->extcnf, ca->sslpath,
 	    ca->passfile);
diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index 1a9b2afa674..e884090b442 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.7 2015/11/02 12:01:28 jsg Exp $
+# $OpenBSD: ikeca.cnf,v 1.8 2015/11/02 12:21:27 jsg Exp $
 
 CERT_C			= DE
 CERT_ST			= Lower Saxony
@@ -20,7 +20,7 @@ NSCERTTYPE		= server,client
 
 [ req ]
 #default_bits		= 2048
-#default_md		= sha1
+#default_md		= sha256
 #default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 #attributes		= req_attributes
@@ -100,7 +100,7 @@ emailAddress			= optional
 [CA_default]
 database			= $ENV::CADB
 serial				= $ENV::CASERIAL
-default_md			= sha1
+default_md			= sha256
 default_days			= 365
 default_crl_days		= 365
 unique_subject			= yes