Switch "openssl req" to using SHA256 for hashes and AES256 to encrypt on-disk

keys by default (instead of SHA1/3DES) and update documentation to match.

Another way to do this is s/NID_sha1/NID_sha256/ in src/crypto/rsa/rsa_ameth.c
("case ASN1_PKEY_CTRL_DEFAULT_MD_NID") but going with the more targetted method
above that only affects "openssl req" for now.

Help/OK jsing@. OKs on earlier diffs changing openssl.cnf from phessler@ aja@

1 files changed, 4 insertions, 5 deletions

diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c
index 98f3e1d84c..99f10ecde0 100644
--- a/src/usr.bin/openssl/req.c
+++ b/src/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.2 2014/08/28 14:23:52 jsing Exp $ */
+/* $OpenBSD: req.c,v 1.3 2014/10/01 13:15:40 sthen Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -97,7 +97,7 @@
 #define STRING_MASK     "string_mask"
 #define UTF8_IN         "utf8"
 
-#define DEFAULT_KEY_LENGTH      512
+#define DEFAULT_KEY_LENGTH      2048
 #define MIN_KEY_LENGTH          384
 
 
@@ -184,9 +184,8 @@ req_main(int argc, char **argv)
         unsigned long chtype = MBSTRING_ASC;
 
         req_conf = NULL;
-#ifndef OPENSSL_NO_DES
-        cipher = EVP_des_ede3_cbc();
-#endif
+        cipher = EVP_aes_256_cbc();
+        digest = EVP_sha256();
 
         infile = NULL;
         outfile = NULL;