# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1562668675 -10800
# Node ID dbce8fb5f5f8e651f85f7500f71169b6337ea670
# Parent  fe0765147e1596bcbeb5fecd0567610b01513caa
Tests: align with OpenSSL security level 2.

This updates minimum requirements to 2048 bit RSA keys and SHA-2 message digest.

diff --git a/grpc_ssl.t b/grpc_ssl.t
--- a/grpc_ssl.t
+++ b/grpc_ssl.t
@@ -103,7 +103,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -121,7 +121,7 @@ foreach my $name ('localhost') {
 
 foreach my $name ('client') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/h2_proxy_request_buffering_ssl.t b/h2_proxy_request_buffering_ssl.t
--- a/h2_proxy_request_buffering_ssl.t
+++ b/h2_proxy_request_buffering_ssl.t
@@ -82,7 +82,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_proxy_ssl.t b/h2_proxy_ssl.t
--- a/h2_proxy_ssl.t
+++ b/h2_proxy_ssl.t
@@ -57,7 +57,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl.t b/h2_ssl.t
--- a/h2_ssl.t
+++ b/h2_ssl.t
@@ -56,7 +56,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl_proxy_cache.t b/h2_ssl_proxy_cache.t
--- a/h2_ssl_proxy_cache.t
+++ b/h2_ssl_proxy_cache.t
@@ -70,7 +70,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl_variables.t b/h2_ssl_variables.t
--- a/h2_ssl_variables.t
+++ b/h2_ssl_variables.t
@@ -69,7 +69,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/h2_ssl_verify_client.t b/h2_ssl_verify_client.t
--- a/h2_ssl_verify_client.t
+++ b/h2_ssl_verify_client.t
@@ -73,7 +73,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/mail_capability.t b/mail_capability.t
--- a/mail_capability.t
+++ b/mail_capability.t
@@ -103,7 +103,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/mail_imap_ssl.t b/mail_imap_ssl.t
--- a/mail_imap_ssl.t
+++ b/mail_imap_ssl.t
@@ -119,7 +119,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/mail_ssl.t b/mail_ssl.t
--- a/mail_ssl.t
+++ b/mail_ssl.t
@@ -139,7 +139,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -149,7 +149,7 @@ my $d = $t->testdir();
 
 foreach my $name ('localhost', 'inherits') {
 	system("openssl genrsa -out $d/$name.key -passout pass:localhost "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/proxy_if.t b/proxy_if.t
--- a/proxy_if.t
+++ b/proxy_if.t
@@ -158,7 +158,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_request_buffering_ssl.t b/proxy_request_buffering_ssl.t
--- a/proxy_request_buffering_ssl.t
+++ b/proxy_request_buffering_ssl.t
@@ -97,7 +97,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl.t b/proxy_ssl.t
--- a/proxy_ssl.t
+++ b/proxy_ssl.t
@@ -79,7 +79,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl_certificate.t b/proxy_ssl_certificate.t
--- a/proxy_ssl_certificate.t
+++ b/proxy_ssl_certificate.t
@@ -100,7 +100,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -118,7 +118,7 @@ foreach my $name ('1.example.com', '2.ex
 
 foreach my $name ('3.example.com') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/proxy_ssl_keepalive.t b/proxy_ssl_keepalive.t
--- a/proxy_ssl_keepalive.t
+++ b/proxy_ssl_keepalive.t
@@ -73,7 +73,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl_name.t b/proxy_ssl_name.t
--- a/proxy_ssl_name.t
+++ b/proxy_ssl_name.t
@@ -116,7 +116,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/proxy_ssl_verify.t b/proxy_ssl_verify.t
--- a/proxy_ssl_verify.t
+++ b/proxy_ssl_verify.t
@@ -109,7 +109,7 @@ EOF
 $t->write_file('openssl.1.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
@@ -124,7 +124,7 @@ EOF
 $t->write_file('openssl.2.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 
diff --git a/ssl.t b/ssl.t
--- a/ssl.t
+++ b/ssl.t
@@ -151,7 +151,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -166,7 +166,7 @@ default_ca = myca
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 3
diff --git a/ssl_certificate.t b/ssl_certificate.t
--- a/ssl_certificate.t
+++ b/ssl_certificate.t
@@ -134,7 +134,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -152,7 +152,7 @@ foreach my $name ('one', 'two') {
 
 foreach my $name ('pass') {
 	system("openssl genrsa -out $d/$name.key -passout pass:pass "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create $name key: $!\n";
 	system("openssl req -x509 -new -config $d/openssl.conf "
 		. "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key "
diff --git a/ssl_certificate_chain.t b/ssl_certificate_chain.t
--- a/ssl_certificate_chain.t
+++ b/ssl_certificate_chain.t
@@ -73,7 +73,7 @@ my $d = $t->testdir();
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -86,7 +86,7 @@ default_ca = myca
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/ssl_certificate_perl.t b/ssl_certificate_perl.t
--- a/ssl_certificate_perl.t
+++ b/ssl_certificate_perl.t
@@ -81,7 +81,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_certificates.t b/ssl_certificates.t
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -70,7 +70,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -80,7 +80,7 @@ my $d = $t->testdir();
 
 system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
 	. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
-system("openssl genrsa -out $d/rsa.key 1024 >>$d/openssl.out 2>&1") == 0
+system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
         or die "Can't create RSA pem: $!\n";
 
 foreach my $name ('ec', 'rsa') {
diff --git a/ssl_client_escaped_cert.t b/ssl_client_escaped_cert.t
--- a/ssl_client_escaped_cert.t
+++ b/ssl_client_escaped_cert.t
@@ -63,7 +63,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_crl.t b/ssl_crl.t
--- a/ssl_crl.t
+++ b/ssl_crl.t
@@ -81,7 +81,7 @@ my $d = $t->testdir();
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -94,7 +94,7 @@ default_ca = myca
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/ssl_engine_keys.t b/ssl_engine_keys.t
--- a/ssl_engine_keys.t
+++ b/ssl_engine_keys.t
@@ -106,7 +106,7 @@ init = 1
 PIN = 1234
 
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -127,7 +127,7 @@ foreach my $name ('localhost') {
 		. ">>$d/openssl.out 2>&1");
 
 	system('pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm.so '
-		. '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:1024 '
+		. '-p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:2048 '
 		. ">>$d/openssl.out 2>&1");
 
 	system('openssl req -x509 -new -engine pkcs11 '
diff --git a/ssl_password_file.t b/ssl_password_file.t
--- a/ssl_password_file.t
+++ b/ssl_password_file.t
@@ -92,7 +92,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -103,7 +103,7 @@ mkfifo("$d/password_fifo", 0700);
 
 foreach my $name ('localhost', 'inherits') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/ssl_proxy_protocol.t b/ssl_proxy_protocol.t
--- a/ssl_proxy_protocol.t
+++ b/ssl_proxy_protocol.t
@@ -76,7 +76,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_proxy_upgrade.t b/ssl_proxy_upgrade.t
--- a/ssl_proxy_upgrade.t
+++ b/ssl_proxy_upgrade.t
@@ -72,7 +72,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_sni.t b/ssl_sni.t
--- a/ssl_sni.t
+++ b/ssl_sni.t
@@ -100,7 +100,7 @@ plan(skip_all => 'Net::SSLeay with OpenS
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_sni_reneg.t b/ssl_sni_reneg.t
--- a/ssl_sni_reneg.t
+++ b/ssl_sni_reneg.t
@@ -76,7 +76,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_sni_sessions.t b/ssl_sni_sessions.t
--- a/ssl_sni_sessions.t
+++ b/ssl_sni_sessions.t
@@ -106,7 +106,7 @@ plan(skip_all => 'Net::SSLeay with OpenS
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_stapling.t b/ssl_stapling.t
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -124,7 +124,7 @@ my $p = port(8081);
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -137,7 +137,7 @@ default_ca = myca
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/ssl_verify_client.t b/ssl_verify_client.t
--- a/ssl_verify_client.t
+++ b/ssl_verify_client.t
@@ -116,7 +116,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -63,7 +63,7 @@ my $d = $t->testdir();
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -76,7 +76,7 @@ default_ca = myca
 [ myca ]
 new_certs_dir = $d
 database = $d/certindex
-default_md = sha1
+default_md = sha256
 policy = myca_policy
 serial = $d/certserial
 default_days = 1
diff --git a/stream_proxy_protocol_ssl.t b/stream_proxy_protocol_ssl.t
--- a/stream_proxy_protocol_ssl.t
+++ b/stream_proxy_protocol_ssl.t
@@ -59,7 +59,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl.t b/stream_proxy_ssl.t
--- a/stream_proxy_ssl.t
+++ b/stream_proxy_ssl.t
@@ -83,7 +83,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl_certificate.t b/stream_proxy_ssl_certificate.t
--- a/stream_proxy_ssl_certificate.t
+++ b/stream_proxy_ssl_certificate.t
@@ -104,7 +104,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -122,7 +122,7 @@ foreach my $name ('1.example.com', '2.ex
 
 foreach my $name ('3.example.com') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/stream_proxy_ssl_name.t b/stream_proxy_ssl_name.t
--- a/stream_proxy_ssl_name.t
+++ b/stream_proxy_ssl_name.t
@@ -101,7 +101,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl_name_complex.t b/stream_proxy_ssl_name_complex.t
--- a/stream_proxy_ssl_name_complex.t
+++ b/stream_proxy_ssl_name_complex.t
@@ -62,7 +62,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_proxy_ssl_verify.t b/stream_proxy_ssl_verify.t
--- a/stream_proxy_ssl_verify.t
+++ b/stream_proxy_ssl_verify.t
@@ -111,7 +111,7 @@ EOF
 $t->write_file('openssl.1.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
@@ -126,7 +126,7 @@ EOF
 $t->write_file('openssl.2.example.com.conf', <<EOF);
 [ req ]
 prompt = no
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 
diff --git a/stream_ssl.t b/stream_ssl.t
--- a/stream_ssl.t
+++ b/stream_ssl.t
@@ -92,7 +92,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -103,7 +103,7 @@ mkfifo("$d/password_fifo", 0700);
 
 foreach my $name ('localhost', 'inherits') {
 	system("openssl genrsa -out $d/$name.key -passout pass:$name "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create private key: $!\n";
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
diff --git a/stream_ssl_certificate.t b/stream_ssl_certificate.t
--- a/stream_ssl_certificate.t
+++ b/stream_ssl_certificate.t
@@ -117,7 +117,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
@@ -135,7 +135,7 @@ foreach my $name ('one', 'two') {
 
 foreach my $name ('pass') {
 	system("openssl genrsa -out $d/$name.key -passout pass:pass "
-		. "-aes128 1024 >>$d/openssl.out 2>&1") == 0
+		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
 		or die "Can't create $name key: $!\n";
 	system("openssl req -x509 -new -config $d/openssl.conf "
 		. "-subj /CN=$name/ -out $d/$name.crt -key $d/$name.key "
diff --git a/stream_ssl_preread.t b/stream_ssl_preread.t
--- a/stream_ssl_preread.t
+++ b/stream_ssl_preread.t
@@ -126,7 +126,7 @@ plan(skip_all => 'Net::SSLeay with OpenS
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_preread_alpn.t b/stream_ssl_preread_alpn.t
--- a/stream_ssl_preread_alpn.t
+++ b/stream_ssl_preread_alpn.t
@@ -86,7 +86,7 @@ plan(skip_all => 'Net::SSLeay with OpenS
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_realip.t b/stream_ssl_realip.t
--- a/stream_ssl_realip.t
+++ b/stream_ssl_realip.t
@@ -84,7 +84,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_variables.t b/stream_ssl_variables.t
--- a/stream_ssl_variables.t
+++ b/stream_ssl_variables.t
@@ -73,7 +73,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_ssl_verify_client.t b/stream_ssl_verify_client.t
--- a/stream_ssl_verify_client.t
+++ b/stream_ssl_verify_client.t
@@ -92,7 +92,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/stream_upstream_zone_ssl.t b/stream_upstream_zone_ssl.t
--- a/stream_upstream_zone_ssl.t
+++ b/stream_upstream_zone_ssl.t
@@ -86,7 +86,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]
diff --git a/upstream_zone_ssl.t b/upstream_zone_ssl.t
--- a/upstream_zone_ssl.t
+++ b/upstream_zone_ssl.t
@@ -89,7 +89,7 @@ EOF
 
 $t->write_file('openssl.conf', <<EOF);
 [ req ]
-default_bits = 1024
+default_bits = 2048
 encrypt_key = no
 distinguished_name = req_distinguished_name
 [ req_distinguished_name ]