e6b3bc8410
This patch was provided upstream by the OpenStack team for TLS-Everywhere support. This changes the ciphers used when creating PKCS#12 files. Resolves: #1954618
39 lines
1.1 KiB
Diff
39 lines
1.1 KiB
Diff
From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
|
|
From: Ade Lee <alee@redhat.com>
|
|
Date: Wed, 14 Apr 2021 15:34:48 -0400
|
|
Subject: [PATCH] Fix local CA to work under FIPS
|
|
|
|
The PKCS12 file used for the local CA fails to be created because
|
|
it uses default OpenSSL encryption algorithms that are disallowed
|
|
under FIPS. This patch simply updates the PKCS12_create() command
|
|
to use allowed encryption algorithms.
|
|
---
|
|
src/local.c | 4 +++-
|
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/local.c b/src/local.c
|
|
index 92bea144..2f50ac77 100644
|
|
--- a/src/local.c
|
|
+++ b/src/local.c
|
|
@@ -39,6 +39,7 @@
|
|
|
|
#include <openssl/asn1.h>
|
|
#include <openssl/err.h>
|
|
+#include <openssl/obj_mac.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/pkcs12.h>
|
|
#include <openssl/rand.h>
|
|
@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
|
|
return CM_SUBMIT_STATUS_UNREACHABLE;
|
|
}
|
|
p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
|
|
- cas, 0, 0, 0, 0, 0);
|
|
+ cas, NID_aes_128_cbc, NID_aes_128_cbc,
|
|
+ 0, 0, 0);
|
|
if (p12 != NULL) {
|
|
if (!i2d_PKCS12_fp(fp, p12)) {
|
|
fclose(fp);
|
|
--
|
|
2.26.3
|
|
|