diff --git a/Makefile.certificate b/Makefile.certificate index e839427..4f9d55d 100644 --- a/Makefile.certificate +++ b/Makefile.certificate @@ -1,5 +1,8 @@ UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) SERIAL=0 +DAYS=365 +KEYLEN=2048 +TYPE=rsa:$(KEYLEN) .PHONY: usage .SUFFIXES: .key .csr .crt .pem @@ -21,6 +24,7 @@ usage: @echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo @echo "To create a test certificate with serial number other than zero, add SERIAL=num" + @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" @echo @echo Examples: @echo " make server.key" @@ -38,7 +42,7 @@ usage: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ - /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \ + /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ @@ -46,7 +50,7 @@ usage: %.key: umask 77 ; \ - /usr/bin/openssl genrsa -aes128 2048 > $@ + /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ %.csr: %.key umask 77 ; \ @@ -54,7 +58,7 @@ usage: %.crt: %.key umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL) + /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL) TLSROOT=/etc/pki/tls KEY=$(TLSROOT)/private/localhost.key @@ -71,4 +75,4 @@ $(CSR): $(KEY) $(CRT): $(KEY) umask 77 ; \ - /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL) + /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL) diff --git a/openssl-1.0.0f-defaults.patch b/openssl-1.0.1e-defaults.patch similarity index 53% rename from openssl-1.0.0f-defaults.patch rename to openssl-1.0.1e-defaults.patch index d20c7fc..4323e87 100644 --- a/openssl-1.0.0f-defaults.patch +++ b/openssl-1.0.1e-defaults.patch @@ -1,13 +1,22 @@ -diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf ---- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100 -+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100 +diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf +--- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100 +@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi + + default_days = 365 # how long to certify for + default_crl_days= 30 # how long before next CRL +-default_md = default # use public key default MD ++default_md = sha256 # use SHA-256 by default + preserve = no # keep passed DN ordering + + # A few difference way of specifying how similar the request should look @@ -103,7 +103,8 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 -+default_md = sha1 ++default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -25,7 +34,7 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn +#stateOrProvinceName_default = Default Province localityName = Locality Name (eg, city) -+localityName_default = Default City ++localityName_default = Default City 0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd @@ -42,3 +51,12 @@ diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cn commonName_max = 64 emailAddress = Email Address +@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T + default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) + other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +-digests = md5, sha1 # Acceptable message digests (mandatory) ++digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) + accuracy = secs:1, millisecs:500, microsecs:100 # (optional) + clock_precision_digits = 0 # number of digits after dot. (optional) + ordering = yes # Is ordering defined for timestamps? diff --git a/openssl.spec b/openssl.spec index 6b085e9..fb98620 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 38%{?dist} +Release: 39%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -39,7 +39,7 @@ Source12: ec_curve.c Source13: ectest.c # Build changes Patch1: openssl-1.0.1-beta2-rpmbuild.patch -Patch2: openssl-1.0.0f-defaults.patch +Patch2: openssl-1.0.1e-defaults.patch Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch @@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Feb 6 2014 Tomáš Mráz 1.0.1e-39 +- make expiration and key length changeable by DAYS and KEYLEN + variables in the certificate Makefile (#1058108) +- change default hash to sha256 (#1062325) + * Wed Jan 22 2014 Tomáš Mráz 1.0.1e-38 - make 3des strength to be 128 bits instead of 168 (#1056616)