Move from sha1 to sha256 in examples and tests

Note that OpenSSL may not support -sha256 on all platforms so we actually check for support before using it in `make test`. For the examples, a modern version of OpenSSL that supports -sha256 is assumed. Issue: #83
2024-10-31 21:20:21 +00:00 · 2015-03-24 20:31:38 +01:00 · 2015-03-24 20:31:38 +01:00 · 6e53e93d0f
commit 6e53e93d0f
parent 35dae31624
2 changed files with 11 additions and 9 deletions
--- a/extra/pki/GNUmakefile
+++ b/extra/pki/GNUmakefile
@ -12,6 +12,7 @@ CRT_DAYS?=	365
 CRT_EXT:=	v3_crt
 CONFIG:=	x509v3ca.cnf
 PASSWORD:=	test
+DIGEST:=	-$(shell echo test | openssl dgst -sha256 2>/dev/null | grep -q f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 && echo sha256 || echo sha1)

 all: rsa dsa ec targets server pwd

@ -59,7 +60,7 @@ ec.key:
 	$(OPENSSL) ecparam -out $@ -name prime192v1 -genkey

 %.crt: %.key $(CONFIG)
-	$(OPENSSL) req -new -nodes -x509 -sha1 -out $@ -key $< \
+	$(OPENSSL) req -new -nodes -x509 $(DIGEST) -out $@ -key $< \
 		-config $(CONFIG) -extensions $(CA_EXT) \
 		-subj $(CA_SUBJECT) \
 		-set_serial 0 -days $(CA_DAYS)
@ -68,7 +69,7 @@ server.key:
 	$(OPENSSL) genrsa -out $@ 1024

 server.crt: server.key $(CONFIG)
-	$(OPENSSL) req -new -nodes -x509 -sha1 -out $@ -key $< \
+	$(OPENSSL) req -new -nodes -x509 $(DIGEST) -out $@ -key $< \
 		-config $(CONFIG) -extensions $(CRT_EXT) \
 		-subj $(CRT_SUBJECT) \
 		-set_serial 42 -days $(CRT_DAYS)
@ -82,10 +83,10 @@ targets: targets/daniel.roe.ch.pem targets/wildcard.roe.ch.pem
 targets/daniel.roe.ch.pem: rsa.crt
 	$(MKDIR) -p targets
 	$(OPENSSL) genrsa -out targets/daniel.roe.ch.key 1024
-	$(OPENSSL) req -new -sha1 -subj '/C=CH/CN=daniel.roe.ch/' \
+	$(OPENSSL) req -new $(DIGEST) -subj '/C=CH/CN=daniel.roe.ch/' \
 		-key targets/daniel.roe.ch.key \
 		-out targets/daniel.roe.ch.csr
-	$(OPENSSL) x509 -req -sha1 -CAcreateserial -days 365 \
+	$(OPENSSL) x509 -req $(DIGEST) -CAcreateserial -days 365 \
 		-CA rsa.crt -CAkey rsa.key \
 		-in targets/daniel.roe.ch.csr \
 		-out targets/daniel.roe.ch.crt
@ -97,10 +98,10 @@ targets/daniel.roe.ch.pem: rsa.crt
 targets/wildcard.roe.ch.pem: rsa.crt
 	$(MKDIR) -p targets
 	$(OPENSSL) genrsa -out targets/wildcard.roe.ch.key 1024
-	$(OPENSSL) req -new -sha1 -subj '/C=CH/CN=*.roe.ch/' \
+	$(OPENSSL) req -new $(DIGEST) -subj '/C=CH/CN=*.roe.ch/' \
 		-key targets/wildcard.roe.ch.key \
 		-out targets/wildcard.roe.ch.csr
-	$(OPENSSL) x509 -req -sha1 -CAcreateserial -days 365 \
+	$(OPENSSL) x509 -req $(DIGEST) -CAcreateserial -days 365 \
 		-CA rsa.crt -CAkey rsa.key \
 		-in targets/wildcard.roe.ch.csr \
 		-out targets/wildcard.roe.ch.crt
--- a/sslsplit.1
+++ b/sslsplit.1
@ -624,7 +624,8 @@ compression and selecting only fast block cipher cipher suites and using a
 precomputed private key \fBleaf.key\fP for the forged certificates
 (most significant speed increase is gained by choosing fast algorithms and
 small keysizes for the CA and leaf private keys; check \fBopenssl speed\fP for
-algorithm performance on your system):
+algorithm performance on your system and note that clients may not support all
+algorithms and key sizes):
 .LP
 .HS
 .nf
@ -664,8 +665,8 @@ subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always,issuer:always
 \fBEOF\fP

-\fBopenssl genrsa -out ca.key 1024\fP
-\fBopenssl req -new -nodes -x509 -sha1 -out ca.crt -key ca.key \\
+\fBopenssl genrsa -out ca.key 2048\fP
+\fBopenssl req -new -nodes -x509 -sha256 -out ca.crt -key ca.key \\
        -config x509v3ca.cnf -extensions v3_ca \\
        -subj '/O=SSLsplit Root CA/CN=SSLsplit Root CA/' \\
        -set_serial 0 -days 3650\fP