s4/lib/tls: Use SHA256 to sign the TLS certificates

The use of SHA-1 has been on the "do not" list for a while now, so make our
self-signed certificates use SHA256 using the new
gnutls_x509_crt_sign2 provided since GNUTLS 1.2.0

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12953

diff --git a/source4/lib/tls/tlscert.c b/source4/lib/tls/tlscert.c
index f1808d7cfd947141edb2fe03e1cb15413252ead0..db4f2946ad4a308cc7d14194e36577cfa57fac4a 100644 (file)
--- a/source4/lib/tls/tlscert.c
+++ b/source4/lib/tls/tlscert.c
@@ -106,7 +106,8 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
        TLSCHECK(gnutls_x509_crt_set_subject_key_id(cacrt, keyid, keyidsize));
 #endif
-       TLSCHECK(gnutls_x509_crt_sign(cacrt, cacrt, cakey));
+       TLSCHECK(gnutls_x509_crt_sign2(cacrt, cacrt, cakey,
+                                      GNUTLS_DIG_SHA256, 0));
 
        DEBUG(3,("Generating TLS certificate\n"));
        TLSCHECK(gnutls_x509_crt_init(&crt));
@@ -132,8 +133,10 @@ void tls_cert_generate(TALLOC_CTX *mem_ctx,
 #if HAVE_GNUTLS_X509_CRT_SET_SUBJECT_KEY_ID
        TLSCHECK(gnutls_x509_crt_set_subject_key_id(crt, keyid, keyidsize));
 #endif
-       TLSCHECK(gnutls_x509_crt_sign(crt, crt, key));
-       TLSCHECK(gnutls_x509_crt_sign(crt, cacrt, cakey));
+       TLSCHECK(gnutls_x509_crt_sign2(crt, crt, key,
+                                      GNUTLS_DIG_SHA256, 0));
+       TLSCHECK(gnutls_x509_crt_sign2(crt, cacrt, cakey,
+                                      GNUTLS_DIG_SHA256, 0));
 
        DEBUG(3,("Exporting TLS keys\n"));