[Spice-devel] [PATCH spice-server] tests/pki: Use CA/certificate valid until 2048 and with 2048 bits
Frediano Ziglio
fziglio at redhat.com
Fri Dec 7 10:57:35 UTC 2018
> On Thu, Dec 06, 2018 at 04:35:56PM +0100, Christophe Fergeau wrote:
> > On Tue, Dec 04, 2018 at 01:19:31PM +0000, Frediano Ziglio wrote:
> > > This changes tests/pki/server-cert.pem and tests/pki/ca-cert.pem to have
> > > 2048 bits. These certificates were generated using the
> > > instructions on https://www.spice-space.org/spice-user-manual.html
> > > The -subj args were omitted, and the defaults suggested by openssl used.
> > > The -days parameter was changed to -days 10950, the bits to 2048.
> > >
> > > This fixes https://gitlab.freedesktop.org/spice/spice/issues/27.
> >
> > I would add in the commit log that some distros are starting to use
> > stricter settings for their openssl configuration, which forbids 2048 bit
> > keys, and causes test suite failures.
>
> Is it possible for apps using openssl to override the default crypto
> algorithm configuration ? If so, the tests could set an explicit
> config so they run under a predictable setup that's known to be
> compatible with the certs that are hardcoded. This is how we dealt
> with the same problem in QEMU & libvirt using gnutls, so we don't
> have to play cat+mouse in the future as crypto settings change again
> in distros.
>
> Regards,
> Daniel
Try to have a look at OpenSSL. Yes, is possible to change the default.
However the same function that load the certificates also create OpenSSL
context (which would need to be set) so this requires a bit of code change.
I don't think the cat+mouse work is so expensive.
Frediano
More information about the Spice-devel
mailing list