From ab66d55db9f8a3625f06b7f30c4654b5b9923f19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 9 Aug 2017 16:44:24 +1200 Subject: [PATCH] s4/lib/tls: Use SHA256 to sign the TLS certificates The use of SHA-1 has been on the "do not" list for a while now, so make our self-signed certificates use SHA256 using the new gnutls_x509_crt_sign2 provided since GNUTLS 1.2.0 Signed-off-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=12953 --- source4/lib/tls/tlscert.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c index f1808d7cfd9..db4f2946ad4 100644 --- a/source4/lib/tls/tlscert.c +++ b/source4/lib/tls/tlscert.c @@ -106,7 +106,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize)); #endif - TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey)); + TLSCHECK(gnutls_x509_crt_sign2(cacrt, cacrt, cakey, + GNUTLS_DIG_SHA256, 0)); DEBUG(3,("Generating TLS certificate\n")); TLSCHECK(gnutls_x509_crt_init(&crt)); @@ -132,8 +133,10 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx, #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize)); #endif - TLSCHECK(gnutls_x509_crt_sign(crt, crt, key)); - TLSCHECK(gnutls_x509_crt_sign(crt, cacrt, cakey)); + TLSCHECK(gnutls_x509_crt_sign2(crt, crt, key, + GNUTLS_DIG_SHA256, 0)); + TLSCHECK(gnutls_x509_crt_sign2(crt, cacrt, cakey, + GNUTLS_DIG_SHA256, 0)); DEBUG(3,("Exporting TLS keys\n")); -- 2.11.0