From: Remi Collet <remi@php.net>
Date: Fri, 14 Mar 2014 08:50:15 +0000 (+0100)
Subject: Fixed Bug #66833 Default digest algo is still MD5
X-Git-Tag: php-5.4.27RC1~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=17f6391bf8bc5e0e74ea981c795455a18826ed35;p=php

Fixed Bug #66833 Default digest algo is still MD5

Switch to SHA1, which match internal openssl hardcoded algo.

In most case, won't even be noticed
- priority on user input (default_md)
- fallback on system config
- fallback on this default value

Recent system reject MD5 digest, noticed in bug36732.phpt failure.

While SHA1 is better than MD5, SHA256 is recommenced,
and defined as default algo in provided configuration on
recent system (Fedora 21, RHEL-7, ...). But the idea is to
keep in sync with openssl internal value for PHP internal value.
---

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index b2ac712bcc..88ad2ef129 100755
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -858,7 +858,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
 		req->digest = req->md_alg = EVP_get_digestbyname(req->digest_name);
 	}
 	if (req->md_alg == NULL) {
-		req->md_alg = req->digest = EVP_md5();
+		req->md_alg = req->digest = EVP_sha1();
 	}
 
 	PHP_SSL_CONFIG_SYNTAX_CHECK(extensions_section);
diff --git a/ext/openssl/tests/openssl.cnf b/ext/openssl/tests/openssl.cnf
index 6ba37cb953..4ed40fdc8a 100644
--- a/ext/openssl/tests/openssl.cnf
+++ b/ext/openssl/tests/openssl.cnf
@@ -3,7 +3,6 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-default_md		= sha1
 x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 string_mask = MASK:4294967295