commit 70e7d28b3edebd1e288e68ba7c7c17acd4d91b2d Author: Nick Mathewson nickm@torproject.org Date: Sun Sep 11 17:54:12 2016 -0400

Generate our x509 certificates using sha256, not sha1.

All supported Tors (0.2.4+) require versions of openssl that can handle this.

Now that our link certificates are RSA2048, this might actually help vs fingerprinting a little. --- src/common/tortls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/common/tortls.c b/src/common/tortls.c index 0315398..eb24411 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -523,7 +523,8 @@ MOCK_IMPL(STATIC X509 *, goto error; if (!X509_set_pubkey(x509, pkey)) goto error; - if (!X509_sign(x509, sign_pkey, EVP_sha1())) + + if (!X509_sign(x509, sign_pkey, EVP_sha256())) goto error;

goto done;