[PATCH] Don't auto-generate SHA1 certificates any more

Andrew Bartlett abartlet at samba.org
Wed Aug 9 05:01:33 UTC 2017

Samba's self-signed certificates are meant to be replaced by proper
certificates, but few people do that. 

Either way, we shouldn't use SHA1.  It has been on the 'do not use'
list for quite some time now. 

If someone can review this into master, I would then like to backport
it to supported releases. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

-------------- next part --------------
From ab66d55db9f8a3625f06b7f30c4654b5b9923f19 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Wed, 9 Aug 2017 16:44:24 +1200
Subject: [PATCH] s4/lib/tls: Use SHA256 to sign the TLS certificates

The use of SHA-1 has been on the "do not" list for a while now, so make our
self-signed certificates use SHA256 using the new
gnutls_x509_crt_sign2 provided since GNUTLS 1.2.0

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12953
 source4/lib/tls/tlscert.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f1808d7cfd9..db4f2946ad4 100644
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -106,7 +106,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 	TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
-	TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
+	TLSCHECK(gnutls_x509_crt_sign2(cacrt, cacrt, cakey,
+				       GNUTLS_DIG_SHA256, 0));
 	DEBUG(3,("Generating TLS certificate\n"));
@@ -132,8 +133,10 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 	TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
-	TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
-	TLSCHECK(gnutls_x509_crt_sign(crt, cacrt, cakey));
+	TLSCHECK(gnutls_x509_crt_sign2(crt, crt, key,
+				       GNUTLS_DIG_SHA256, 0));
+	TLSCHECK(gnutls_x509_crt_sign2(crt, cacrt, cakey,
+				       GNUTLS_DIG_SHA256, 0));
 	DEBUG(3,("Exporting TLS keys\n"));

More information about the samba-technical mailing list