compat.sh: quit using SHA-1 certificates
Replace server2.crt with server2-sha256.crt which, as the name implies, is just the SHA-256 version of the same certificate. Replace server1.crt with cert_sha256.crt which, as the name doesn't imply, is associated with the same key and just have a slightly different Subject Name, which doesn't matter in this instance. The other certificates used in this script (server5.crt and server6.crt) are already signed with SHA-256. This change is motivated by the fact that recent versions of GnuTLS (or older versions with the Debian patches) reject SHA-1 in certificates by default, as they should. There are options to still accept it (%VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1) but: - they're not available in all versions that reject SHA-1-signed certs; - moving to SHA-2 just seems cleaner anyway. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
244d06637f
commit
499bf4c0c8
1 changed files with 8 additions and 8 deletions
|
@ -956,14 +956,14 @@ setup_arguments()
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"RSA")
|
"RSA")
|
||||||
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2.crt key_file=data_files/server2.key"
|
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
|
||||||
O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2.crt -key data_files/server2.key"
|
O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key"
|
||||||
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key"
|
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key"
|
||||||
|
|
||||||
if [ "X$VERIFY" = "XYES" ]; then
|
if [ "X$VERIFY" = "XYES" ]; then
|
||||||
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server1.crt key_file=data_files/server1.key"
|
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key"
|
||||||
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server1.crt -key data_files/server1.key"
|
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key"
|
||||||
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server1.crt --x509keyfile data_files/server1.key"
|
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key"
|
||||||
else
|
else
|
||||||
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
|
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
|
||||||
fi
|
fi
|
||||||
|
@ -977,9 +977,9 @@ setup_arguments()
|
||||||
"PSK")
|
"PSK")
|
||||||
# give RSA-PSK-capable server a RSA cert
|
# give RSA-PSK-capable server a RSA cert
|
||||||
# (should be a separate type, but harder to close with openssl)
|
# (should be a separate type, but harder to close with openssl)
|
||||||
M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2.crt key_file=data_files/server2.key"
|
M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
|
||||||
O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
|
O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
|
||||||
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
|
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
|
||||||
|
|
||||||
M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
|
M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
|
||||||
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
|
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"
|
||||||
|
|
Loading…
Reference in a new issue