[Spice-devel] [PATCH spice-server] tests/pki: Use CA/certificate valid until 2048 and with 2048 bits

Daniel P. Berrangé berrange at redhat.com
Thu Dec 6 15:41:49 UTC 2018


On Thu, Dec 06, 2018 at 04:35:56PM +0100, Christophe Fergeau wrote:
> On Tue, Dec 04, 2018 at 01:19:31PM +0000, Frediano Ziglio wrote:
> > This changes tests/pki/server-cert.pem and tests/pki/ca-cert.pem to have
> > 2048 bits. These certificates were generated using the
> > instructions on https://www.spice-space.org/spice-user-manual.html
> > The -subj args were omitted, and the defaults suggested by openssl used.
> > The -days parameter was changed to -days 10950, the bits to 2048.
> > 
> > This fixes https://gitlab.freedesktop.org/spice/spice/issues/27.
> 
> I would add in the commit log that some distros are starting to use
> stricter settings for their openssl configuration, which forbids 2048 bit
> keys, and causes test suite failures.

Is it possible for apps using openssl to override the default crypto
algorithm configuration ?  If so, the tests could set an explicit
config so they run under a predictable setup that's known to be
compatible with the certs that are hardcoded.  This is how we dealt
with the same problem in QEMU & libvirt using gnutls, so we don't
have to play cat+mouse in the future as crypto settings change again
in distros.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


More information about the Spice-devel mailing list