Applied patches for not using md5. Additionally, the root CA is no 4096 bits, host/clients are 2048 bits (both RSA). Openssl is now choosing the random seed automatically, removed the '-rand' parameter.

2026-04-28 03:33:25 +02:00 · 2015-03-14 15:33:35 +01:00
parent 6f49ea2ea2
commit 3847730c17
2 changed files with 12 additions and 12 deletions
--- a/config/ssl/openssl.cnf
+++ b/config/ssl/openssl.cnf
@@ -21,7 +21,7 @@ RANDFILE	= $dir/tmp/.rand
 x509_extensions	= usr_cert
 default_days	= 999999
 default_crl_days= 30
-default_md	= md5
+default_md	= sha256
 preserve	= no
 policy		= policy_match
 email_in_dn	= no
@@ -35,7 +35,7 @@ commonName		= supplied
 emailAddress		= optional

 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes