Change hash and keysize defaults to modern standards

Change keysize defaults from 1024 to 2048 bits and change the default
hash from md5 to sha256.  Also, removed an oddly-specific call for sha1
in one instance.

Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>

easy-rsa/1.0/vars

@@ -37,7 +37,7 @@ echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
-export KEY_SIZE=1024
+export KEY_SIZE=2048
 
 # These are the default values for fields
 # which will be placed in the certificate.

easy-rsa/2.0/openssl-0.9.6.cnf

@@ -56,7 +56,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
+default_md	= sha256		# which md to use.
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -89,6 +89,7 @@ emailAddress		= optional
 [ req ]
 default_bits		= $ENV::KEY_SIZE
 default_keyfile 	= privkey.pem
+default_md		= sha256
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert

easy-rsa/2.0/openssl-0.9.8.cnf

@@ -59,7 +59,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
+default_md	= sha256		# which md to use.
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -94,6 +94,7 @@ emailAddress		= optional
 [ req ]
 default_bits		= $ENV::KEY_SIZE
 default_keyfile 	= privkey.pem
+default_md		= sha256
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert

easy-rsa/2.0/openssl-1.0.0.cnf

@@ -54,7 +54,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# use public key default MD
+default_md	= sha256		# use public key default MD
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -89,6 +89,7 @@ emailAddress		= optional
 [ req ]
 default_bits		= $ENV::KEY_SIZE
 default_keyfile 	= privkey.pem
+default_md		= sha256
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert

easy-rsa/2.0/pkitool

@@ -322,7 +322,7 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
 
     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
 	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
 	    chmod 0600 "$CA.key"
     else        
@@ -356,7 +356,7 @@ if [ -d "$KEY_DIR" ] && [ "$KEY_CONFIG" ]; then
 	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
 	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
 	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
-	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
+	        -in "$FN.csr" $CA_EXT -config "$KEY_CONFIG" ) && \
 	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
 	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
 	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \

easy-rsa/2.0/vars

@@ -50,7 +50,7 @@ export PKCS11_PIN="dummy"
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
-export KEY_SIZE=1024
+export KEY_SIZE=2048
 
 # In how many days should the root CA key expire?
 export CA_EXPIRE=3650

easy-rsa/Windows/vars.bat.sample

@@ -21,7 +21,7 @@ rem are paranoid.  This will slow
 rem down TLS negotiation performance
 rem as well as the one-time DH parms
 rem generation process.
-set KEY_SIZE=1024
+set KEY_SIZE=2048
 
 rem These are the default values for fields
 rem which will be placed in the certificate.