[Openvpn-users] Can't use option "default_md" defined in openssl.cnf

[Marcin M. <ma...@me...>]

Hello!
I'm using openvpn-2.1.4 (gentoo). I built ca.crt (using build-ca) next i
displayed info about cert. I saw it was used sha1 alghoritm. I started
to wonder how can i change to sha2. In
openssl.cnf (those in easy-rsa) i found definition inside:
[ Ca_default ]
...
default_md = md5

But md5 wasn't used to create any crt. It's good news:) Bad news is the
using md5 is not recommended.
Next i discover i should put option "default_md=" in [ Ca_default ]
seqction when i want to build client key (build-key) and in [ req ]
section when i want to build ca.crt. Ok, let me go ahead. I put
"default_md=sha256" into both setion. I created ca.crt, client.crt. None
of them use sha256, they has sha1 has function.
I found pkitool forces to use sha1 hash (for openssl arguments passed
via cli has higher priority than those in config file).
Finally i done small changes in pkitool and voila, "default_md" works
for me.
Summary: I'm asking for:
a) change default option in openssl.cnf shipped with openvpn (sha1?
sha2[eg.sha256]?)
b) allow to change default hash function (not forcing sha1 alghoritm)

Thank you.

Below is a diff from my changes (probably TB will wrap lines in wrong
place, sorry).
--- /usr/share/openvpn/easy-rsa/pkitool 2011-12-27 15:28:07.189551531 +0100
+++ /usr/share/openvpn/easy-rsa/._cfg0000_pkitool       2011-12-27
15:36:17.000000000 +0100
@@ -316,7 +316,7 @@

     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-       $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey
rsa:$KEY_SIZE \
+       $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey
rsa:$KEY_SIZE -sha1 \
            -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG"
&& \
            chmod 0600 "$CA.key"
     else
@@ -350,7 +350,7 @@
        ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE
$NODES_REQ -new -newkey rsa:$KEY_SIZE \
                -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config
"$KEY_CONFIG" $PKCS11_ARGS ) && \
            ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE
-out "$FN.crt" \
-               -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
+               -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
            ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey
"$FN.key" \
                -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12"
$NODES_P12 ) && \
            ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key"
) && \