Switch "openssl req" to using SHA256 for hashes and AES256 to encrypt on-disk

keys by default (instead of SHA1/3DES) and update documentation to match. Another way to do this is s/NID_sha1/NID_sha256/ in src/crypto/rsa/rsa_ameth.c ("case ASN1_PKEY_CTRL_DEFAULT_MD_NID") but going with the more targetted method above that only affects "openssl req" for now. Help/OK jsing@. OKs on earlier diffs changing openssl.cnf from phessler@ aja@
author: sthen <> 2014-10-01 13:15:40 +0000
committer: sthen <> 2014-10-01 13:15:40 +0000
commit: 5c5b544c2aae06ec114cfeaf631cd09a331ce9ea (patch)
tree: 67663f7db6cba735d8fc6ce3333a938521b78ff7 /src/usr.bin
parent: 4196588ba36e0ba5fa0fcb814fd943e5e3e60b62 (diff)
download: openbsd-5c5b544c2aae06ec114cfeaf631cd09a331ce9ea.tar.gz
openbsd-5c5b544c2aae06ec114cfeaf631cd09a331ce9ea.tar.bz2
openbsd-5c5b544c2aae06ec114cfeaf631cd09a331ce9ea.zip
2 files changed, 12 insertions, 12 deletions
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 7387a2d8ed..23f5fff885 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.3 2014/09/16 16:05:44 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.4 2014/10/01 13:15:40 sthen Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: September 16 2014 $
+.Dd $Mdocdate: October 1 2014 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -5583,7 +5583,7 @@ This gives the
 to write the newly created private key to.
 If this option is not specified, the filename present in the
 configuration file is used.
-.It Fl md4 | md5 | sha1
+.It Fl md5 | sha1 | sha256
 This specifies the message digest to sign the request with.
 This overrides the digest algorithm specified in the configuration file.
 .Pp
@@ -5774,7 +5774,7 @@ They are currently ignored by
 request signing utilities, but some CAs might want them.
 .It Ar default_bits
 This specifies the default key size in bits.
-If not specified, 512 is used.
+If not specified, 2048 is used.
 It is used if the
 .Fl new
 option is used.
@@ -5790,10 +5790,11 @@ option.
 .It Ar default_md
 This option specifies the digest algorithm to use.
 Possible values include
-.Ar md5
+.Ar md5 ,
+.Ar sha1
 and
-.Ar sha1 .
+.Ar sha256 .
-If not present, MD5 is used.
+If not present, SHA256 is used.
 This option can be overridden on the command line.
 .It Ar distinguished_name
 This specifies the section containing the distinguished name fields to
diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c
index 98f3e1d84c..99f10ecde0 100644
--- a/src/usr.bin/openssl/req.c
+++ b/src/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.2 2014/08/28 14:23:52 jsing Exp $ */
+/* $OpenBSD: req.c,v 1.3 2014/10/01 13:15:40 sthen Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -97,7 +97,7 @@
 #define STRING_MASK     "string_mask"
 #define UTF8_IN         "utf8"
-#define DEFAULT_KEY_LENGTH      512
+#define DEFAULT_KEY_LENGTH      2048
 #define MIN_KEY_LENGTH          384
@@ -184,9 +184,8 @@ req_main(int argc, char **argv)
        unsigned long chtype = MBSTRING_ASC;
        req_conf = NULL;
-#ifndef OPENSSL_NO_DES
+        cipher = EVP_aes_256_cbc();
-        cipher = EVP_des_ede3_cbc();
+        digest = EVP_sha256();
-#endif
        infile = NULL;
        outfile = NULL;
author	sthen <>	2014-10-01 13:15:40 +0000
committer	sthen <>	2014-10-01 13:15:40 +0000
commit	5c5b544c2aae06ec114cfeaf631cd09a331ce9ea (patch)
tree	67663f7db6cba735d8fc6ce3333a938521b78ff7 /src/usr.bin
parent	4196588ba36e0ba5fa0fcb814fd943e5e3e60b62 (diff)
download	openbsd-5c5b544c2aae06ec114cfeaf631cd09a331ce9ea.tar.gz openbsd-5c5b544c2aae06ec114cfeaf631cd09a331ce9ea.tar.bz2 openbsd-5c5b544c2aae06ec114cfeaf631cd09a331ce9ea.zip