TLS: Use SHA256 instead of SHA1 for cert generation

With newer OpenSSL libraries (e.g. version 1.1.1d), SHA1 certificates are outright rejected, so we move forward to a stronger digest as well. Credits to @JeffreyVIP for the report! Fixes #2366
OpenSIPS · Jul 7, 2021 · 572d2db · 572d2db
1 parent af0f4b5
commit 572d2db
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/docs/modules/tls.md b/docs/modules/tls.md
@@ -26,7 +26,7 @@ List of `opensips-cli.cfg` settings for configuring self-signed CA certificates:
 * tls_ca_organisational_unit - the organisational unit (e.g. "Project")
 * tls_ca_notafter - the validity period, in seconds (e.g. 315360000)
 * tls_ca_key_size - the size of the RSA key, in bits (e.g. 4096)
-* tls_ca_md - the digest algorithm to use for signing (e.g. SHA1)
+* tls_ca_md - the digest algorithm to use for signing (e.g. SHA256)
 
 List of `opensips-cli.cfg` settings for configuring user certificates:
 
@@ -45,7 +45,7 @@ List of `opensips-cli.cfg` settings for configuring user certificates:
 * tls_user_organisational_unit - the organisational unit (e.g. "Project")
 * tls_user_notafter - the validity period, in seconds (e.g. 315360000)
 * tls_user_key_size - the size of the RSA key, in bits (e.g. 4096)
-* tls_user_md - the digest algorithm to use for signing (e.g. SHA1)
+* tls_user_md - the digest algorithm to use for signing (e.g. SHA256)
 
 
 ## Examples
@@ -69,7 +69,7 @@ tls_ca_organisation: OpenSIPS
 tls_ca_organisational_unit: Project
 tls_ca_notafter: 315360000
 tls_ca_key_size: 4096
-tls_ca_md: SHA1
+tls_ca_md: SHA256
 ```
 
 To create a user certificate signed by the above rootCA, along with a private
@@ -95,5 +95,5 @@ tls_user_organisation: OpenSIPS
 tls_user_organisational_unit: Project
 tls_user_notafter: 315360000
 tls_user_key_size: 4096
-tls_user_md: SHA1
+tls_user_md: SHA256
 ```
diff --git a/opensipscli/modules/tls.py b/opensipscli/modules/tls.py
@@ -86,7 +86,7 @@ def do_rootCA(self, params):
         key.generate_key(crypto.TYPE_RSA, key_size)
 
         cert.set_pubkey(key)
-        md = cfg.read_param("tls_ca_md", "Digest Algorithm", "SHA1")
+        md = cfg.read_param("tls_ca_md", "Digest Algorithm", "SHA256")
         cert.sign(key, md)
 
         try:
@@ -182,7 +182,7 @@ def do_userCERT(self, params):
         key.generate_key(crypto.TYPE_RSA, key_size)
 
         cert.set_pubkey(key)
-        md = cfg.read_param("tls_user_md", "Digest Algorithm", "SHA1")
+        md = cfg.read_param("tls_user_md", "Digest Algorithm", "SHA256")
         cert.sign(ca_key, md)
 
         try: