On Thu, Dec 06, 2018 at 04:35:56PM +0100, Christophe Fergeau wrote: > On Tue, Dec 04, 2018 at 01:19:31PM +0000, Frediano Ziglio wrote: > > This changes tests/pki/server-cert.pem and tests/pki/ca-cert.pem to have > > 2048 bits. These certificates were generated using the > > instructions on https://www.spice-space.org/spice-user-manual.html > > The -subj args were omitted, and the defaults suggested by openssl used. > > The -days parameter was changed to -days 10950, the bits to 2048. > > > > This fixes https://gitlab.freedesktop.org/spice/spice/issues/27. > > I would add in the commit log that some distros are starting to use > stricter settings for their openssl configuration, which forbids 2048 bit > keys, and causes test suite failures. Is it possible for apps using openssl to override the default crypto algorithm configuration ? If so, the tests could set an explicit config so they run under a predictable setup that's known to be compatible with the certs that are hardcoded. This is how we dealt with the same problem in QEMU & libvirt using gnutls, so we don't have to play cat+mouse in the future as crypto settings change again in distros. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel