EasyRSA's pkitool has the use of sha1 to sign certs hardcoded all over the place.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 14 May 2022 11:14:12 UTC
Hi all, After coming across the recent issue that OpenVPN clients using new versions of openssl wouldn't accept ca certs I'd generated a while ago, complaining that the signature was signed with a suitably strong hash I went hunting. Turns out the openssl.cnf entry of what the message digest is supposed to be is over-ridden by the explicit invocation of -sha1 on the command line for a few of the commands. -- "I and the public know what all schoolchildren learn Those to whom evil is done Do evil in return" W.H. Auden, "September 1, 1939"