public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: make expiration and key length changeable by DAYS and KEYLEN
Date: Tue, 09 Jun 2026 12:43:13 GMT [thread overview]
Message-ID: <178100899389.1.11182140933254064250.rpms-openssl-abe62302b257@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : abe62302b25793e5a5c2b66829c328c93b67d051
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date : 2014-02-06T18:07:59+01:00
Stats : +77/-50 in 4 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/abe62302b25793e5a5c2b66829c328c93b67d051?branch=rebase_40beta
Log:
make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
---
diff --git a/Makefile.certificate b/Makefile.certificate
index e839427..4f9d55d 100644
--- a/Makefile.certificate
+++ b/Makefile.certificate
@@ -1,5 +1,8 @@
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0
+DAYS=365
+KEYLEN=2048
+TYPE=rsa:$(KEYLEN)
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
@@ -21,6 +24,7 @@ usage:
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
+ @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
@echo
@echo Examples:
@echo " make server.key"
@@ -38,7 +42,7 @@ usage:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
- /usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+ /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
@@ -46,7 +50,7 @@ usage:
%.key:
umask 77 ; \
- /usr/bin/openssl genrsa -aes128 2048 > $@
+ /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
@@ -54,7 +58,7 @@ usage:
%.crt: %.key
umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days 365 -out $@ -set_serial $(SERIAL)
+ /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
@@ -71,4 +75,4 @@ $(CSR): $(KEY)
$(CRT): $(KEY)
umask 77 ; \
- /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days 365 -out $(CRT) -set_serial $(SERIAL)
+ /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
diff --git a/openssl-1.0.0f-defaults.patch b/openssl-1.0.0f-defaults.patch
deleted file mode 100644
index d20c7fc..0000000
--- a/openssl-1.0.0f-defaults.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-diff -up openssl-1.0.0f/apps/openssl.cnf.defaults openssl-1.0.0f/apps/openssl.cnf
---- openssl-1.0.0f/apps/openssl.cnf.defaults 2011-12-06 01:01:00.000000000 +0100
-+++ openssl-1.0.0f/apps/openssl.cnf 2012-01-05 13:16:15.000000000 +0100
-@@ -103,7 +103,8 @@ emailAddress = optional
-
- ####################################################################
- [ req ]
--default_bits = 1024
-+default_bits = 2048
-+default_md = sha1
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = XX
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+#stateOrProvinceName_default = Default Province
-
- localityName = Locality Name (eg, city)
-+localityName_default = Default City
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = Default Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (e.g. server FQDN or YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
diff --git a/openssl-1.0.1e-defaults.patch b/openssl-1.0.1e-defaults.patch
new file mode 100644
index 0000000..4323e87
--- /dev/null
+++ b/openssl-1.0.1e-defaults.patch
@@ -0,0 +1,62 @@
+diff -up openssl-1.0.1e/apps/openssl.cnf.defaults openssl-1.0.1e/apps/openssl.cnf
+--- openssl-1.0.1e/apps/openssl.cnf.defaults 2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/apps/openssl.cnf 2014-02-06 18:00:00.170929334 +0100
+@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = default # use public key default MD
++default_md = sha256 # use SHA-256 by default
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -103,7 +103,8 @@ emailAddress = optional
+
+ ####################################################################
+ [ req ]
+-default_bits = 1024
++default_bits = 2048
++default_md = sha256
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+
+ [ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+-countryName_default = AU
++countryName_default = XX
+ countryName_min = 2
+ countryName_max = 2
+
+ stateOrProvinceName = State or Province Name (full name)
+-stateOrProvinceName_default = Some-State
++#stateOrProvinceName_default = Default Province
+
+ localityName = Locality Name (eg, city)
++localityName_default = Default City
+
+ 0.organizationName = Organization Name (eg, company)
+-0.organizationName_default = Internet Widgits Pty Ltd
++0.organizationName_default = Default Company Ltd
+
+ # we can do this but it is not needed normally :-)
+ #1.organizationName = Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
+ organizationalUnitName = Organizational Unit Name (eg, section)
+ #organizationalUnitName_default =
+
+-commonName = Common Name (e.g. server FQDN or YOUR name)
++commonName = Common Name (eg, your name or your server\'s hostname)
+ commonName_max = 64
+
+ emailAddress = Email Address
+@@ -339,7 +341,7 @@ signer_key = $dir/private/tsakey.pem # T
+ default_policy = tsa_policy1 # Policy if request did not specify it
+ # (optional)
+ other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
+-digests = md5, sha1 # Acceptable message digests (mandatory)
++digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
+ accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
+ clock_precision_digits = 0 # number of digits after dot. (optional)
+ ordering = yes # Is ordering defined for timestamps?
diff --git a/openssl.spec b/openssl.spec
index 6b085e9..fb98620 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1e
-Release: 38%{?dist}
+Release: 39%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -39,7 +39,7 @@ Source12: ec_curve.c
Source13: ectest.c
# Build changes
Patch1: openssl-1.0.1-beta2-rpmbuild.patch
-Patch2: openssl-1.0.0f-defaults.patch
+Patch2: openssl-1.0.1e-defaults.patch
Patch4: openssl-1.0.0-beta5-enginesdir.patch
Patch5: openssl-0.9.8a-no-rpath.patch
Patch6: openssl-0.9.8b-test-use-localhost.patch
@@ -474,6 +474,11 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Feb 6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
+- make expiration and key length changeable by DAYS and KEYLEN
+ variables in the certificate Makefile (#1058108)
+- change default hash to sha256 (#1062325)
+
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
- make 3des strength to be 128 bits instead of 168 (#1056616)
reply other threads:[~2026-06-09 12:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178100899389.1.11182140933254064250.rpms-openssl-abe62302b257@fedoraproject.org \
--to=tmraz@fedoraproject.org \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox