Back to bug 2060798
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2022-03-04 10:09:33 UTC | Pool ID | sst_idm_ipa_rhel_9 | |
| Red Hat One Jira (issues.redhat.com) | 2022-03-04 10:17:32 UTC | Link ID | Red Hat Issue Tracker FREEIPA-7931 | |
| Red Hat One Jira (issues.redhat.com) | 2022-03-04 10:17:36 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-114497 | |
| Michele Baldessari | 2022-03-04 10:57:41 UTC | CC | michele | |
| Damien Ciabrini | 2022-03-04 14:22:37 UTC | CC | dciabrin | |
| Julien Rische | 2022-03-04 16:14:42 UTC | CC | jrische | |
| Alexander Bokovoy | 2022-03-05 09:29:23 UTC | CC | abokovoy, dpal, fdvorak | |
| Component | ipa | krb5 | ||
| Assignee | frenaud | jrische | ||
| Alexander Bokovoy | 2022-03-05 09:45:25 UTC | Flags | needinfo?(lmiccini) | |
| Luca Miccini | 2022-03-07 08:39:26 UTC | Flags | needinfo?(lmiccini) | |
| Alexander Bokovoy | 2022-03-08 08:52:44 UTC | Blocks | 2057471 | |
| Scott Poore | 2022-03-08 18:27:13 UTC | CC | spoore | |
| Julien Rische | 2022-03-09 13:10:19 UTC | Status | NEW | ASSIGNED |
| RHEL Program Management | 2022-03-09 13:10:28 UTC | Keywords | Triaged | |
| Nate Johnston | 2022-03-09 15:48:08 UTC | CC | njohnston | |
| Pablo Mendez Hernandez | 2022-03-09 17:44:27 UTC | CC | pmendezh | |
| Simo Sorce | 2022-03-09 20:32:20 UTC | CC | ssorce | |
| Flags | needinfo?(jrische) | |||
| Alexander Bokovoy | 2022-03-10 06:38:00 UTC | Flags | needinfo?(jrische) | |
| Filip Dvorak | 2022-03-10 12:14:02 UTC | QA Contact | ipa-qe | fdvorak |
| Julien Rische | 2022-03-16 12:20:20 UTC | Summary | ipa role creation via ansible fails with latest openssl | SHA-1 no longer available for CMS digest during anonymous PKINIT |
| Trivino | 2022-03-16 16:44:29 UTC | Priority | unspecified | high |
| Version | unspecified | 9.0 | ||
| CC | ftrivino | |||
| Trivino | 2022-03-16 16:46:11 UTC | Blocks | 2064823 | |
| Clemens Lang | 2022-03-17 11:37:02 UTC | CC | cllang | |
| Prokop Vlasin | 2022-03-17 18:37:27 UTC | CC | pvlasin | |
| RHEL Program Management Team | 2022-03-17 18:54:37 UTC | Blocks | 2065401 | |
| Trivino | 2022-03-18 08:45:34 UTC | Status | ASSIGNED | MODIFIED |
| Michal Polovka | 2022-03-18 18:02:04 UTC | Fixed In Version | krb5-1.19.1-15.el9_0 | |
| CC | mpolovka | |||
| errata-xmlrpc | 2022-03-18 18:17:32 UTC | Status | MODIFIED | ON_QA |
| Julien Rische | 2022-03-21 13:30:09 UTC | Blocks | 2066316 | |
| Julien Rische | 2022-03-21 13:40:51 UTC | Blocks | 2066319 | |
| Julien Rische | 2022-03-23 11:14:02 UTC | Blocks | 2067121 | |
| Florence Blanc-Renaud | 2022-03-24 07:22:13 UTC | Blocks | 2067971 | |
| Filip Dvorak | 2022-03-27 19:57:07 UTC | Status | ON_QA | VERIFIED |
| Filip Dvorak | 2022-03-30 07:54:49 UTC | Doc Type | If docs needed, set a value | Enhancement |
| Doc Text | Feature: Stronger SHA-2 hash algorithm is used for the signature of the PKINIT CMS messages instead of SHA-1. Reason: The SHA-1 hash algorithm was deprecated in RHEL9. More info about it can be found in RHEL9 RN [1] [1] I will add a link as soon as the ticket (https://issues.redhat.com/browse/RHELPLAN-116484) is done. Result: Kerberos used the SHA-1 hash algorithm for the signature of PKINIT CMS messages by default but because the SHA-1 was deprecated in RHEL9 this algorithm was replaced by SHA-2. It means that Kerberos uses the SHA-2 algorithm by default in RHEL9. For interoperability with older Kerberos clients (RHEL7.8 and RHEL8.6) it is necessary to turn on the crypto-policy with the support of SHA-1 algorithm (update-crypto-policies --set DEFAULT:SHA1). The fix for the clients will be available (RHEL7.9 and RHEL8.7 and later on) that turns on SHA-2 automatically (BZ#2066316,BZ#2066319). |
|||
| Filip Dvorak | 2022-03-30 07:55:46 UTC | Flags | needinfo?(jrische) | |
| Josip Vilicic | 2022-03-30 12:43:22 UTC | Docs Contact | jvilicic | |
| CC | jvilicic | |||
| Julien Rische | 2022-04-04 06:22:21 UTC | Doc Text | Feature: Stronger SHA-2 hash algorithm is used for the signature of the PKINIT CMS messages instead of SHA-1. Reason: The SHA-1 hash algorithm was deprecated in RHEL9. More info about it can be found in RHEL9 RN [1] [1] I will add a link as soon as the ticket (https://issues.redhat.com/browse/RHELPLAN-116484) is done. Result: Kerberos used the SHA-1 hash algorithm for the signature of PKINIT CMS messages by default but because the SHA-1 was deprecated in RHEL9 this algorithm was replaced by SHA-2. It means that Kerberos uses the SHA-2 algorithm by default in RHEL9. For interoperability with older Kerberos clients (RHEL7.8 and RHEL8.6) it is necessary to turn on the crypto-policy with the support of SHA-1 algorithm (update-crypto-policies --set DEFAULT:SHA1). The fix for the clients will be available (RHEL7.9 and RHEL8.7 and later on) that turns on SHA-2 automatically (BZ#2066316,BZ#2066319). | Feature: Stronger SHA-2 hash algorithm is used for the signature of the PKINIT CMS messages instead of SHA-1. Reason: The SHA-1 hash algorithm was deprecated in RHEL9. More info about it can be found in RHEL9 RN [1] [1] I will add a link as soon as the ticket (https://issues.redhat.com/browse/RHELPLAN-116484) is done. Result: Kerberos KDC was using the SHA-1 digest algorithm for the signature of CMS messages for anonymous PKINIT, but because SHA-1 was deprecated in RHEL9 this algorithm was replaced by SHA-2. It means that Kerberos uses the SHA-2 algorithm by default in RHEL9. For interoperability with older Kerberos KDCs (RHEL7.8 and RHEL8.6) it is necessary to turn on the crypto-policy with the support of SHA-1 algorithm (update-crypto-policies --set DEFAULT:SHA1), because these KDCs are still signing CMS messages with SHA-1. A fix will be available (RHEL7.9 and RHEL8.7 and later on) to use SHA-2 by default (BZ#2066316,BZ#2066319). |
| Julien Rische | 2022-04-04 06:23:20 UTC | Flags | needinfo?(jrische) | needinfo- |
| Julien Rische | 2022-04-04 06:23:44 UTC | Flags | needinfo- | |
| Ivan Nikolchev | 2022-04-11 14:58:13 UTC | CC | inikolch | |
| Flags | needinfo?(jrische) | |||
| Julien Rische | 2022-04-13 16:15:46 UTC | Flags | needinfo?(jrische) | |
| Josip Vilicic | 2022-04-22 14:19:23 UTC | Flags | needinfo?(jrische) | |
| Julien Rische | 2022-04-28 11:11:44 UTC | Flags | needinfo?(jrische) | |
| Josip Vilicic | 2022-04-28 14:16:33 UTC | Doc Text | Feature: Stronger SHA-2 hash algorithm is used for the signature of the PKINIT CMS messages instead of SHA-1. Reason: The SHA-1 hash algorithm was deprecated in RHEL9. More info about it can be found in RHEL9 RN [1] [1] I will add a link as soon as the ticket (https://issues.redhat.com/browse/RHELPLAN-116484) is done. Result: Kerberos KDC was using the SHA-1 digest algorithm for the signature of CMS messages for anonymous PKINIT, but because SHA-1 was deprecated in RHEL9 this algorithm was replaced by SHA-2. It means that Kerberos uses the SHA-2 algorithm by default in RHEL9. For interoperability with older Kerberos KDCs (RHEL7.8 and RHEL8.6) it is necessary to turn on the crypto-policy with the support of SHA-1 algorithm (update-crypto-policies --set DEFAULT:SHA1), because these KDCs are still signing CMS messages with SHA-1. A fix will be available (RHEL7.9 and RHEL8.7 and later on) to use SHA-2 by default (BZ#2066316,BZ#2066319). | .Anonymous PKINIT CMS messages are now signed with SHA-2 instead of SHA-1 Because the SHA-1 digest algorithm has been deprecated in RHEL 9, CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. With the release of RHEL 7.9 and RHEL 8.7, SHA-2 will be used by default in RHEL 7 and RHEL 8 as well. Older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and earlier, or RHEL 8.6 and earlier, still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: + ---- # update-crypto-policies --set DEFAULT:SHA1 ---- |
| Lenka Špačková | 2022-05-06 06:50:40 UTC | Doc Text | .Anonymous PKINIT CMS messages are now signed with SHA-2 instead of SHA-1 Because the SHA-1 digest algorithm has been deprecated in RHEL 9, CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. With the release of RHEL 7.9 and RHEL 8.7, SHA-2 will be used by default in RHEL 7 and RHEL 8 as well. Older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and earlier, or RHEL 8.6 and earlier, still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: + ---- # update-crypto-policies --set DEFAULT:SHA1 ---- | .Anonymous PKINIT CMS messages are now signed with SHA-2 instead of SHA-1 Because the SHA-1 digest algorithm has been deprecated in RHEL 9, CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. With the release of RHEL 7.9 and RHEL 8.7, SHA-2 will be used by default in RHEL 7 and RHEL 8 as well. Older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and earlier, or RHEL 8.6 and earlier, still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: ---- # update-crypto-policies --set DEFAULT:SHA1 ---- |
| Filip Hanzelka | 2022-05-06 09:56:09 UTC | Doc Text | .Anonymous PKINIT CMS messages are now signed with SHA-2 instead of SHA-1 Because the SHA-1 digest algorithm has been deprecated in RHEL 9, CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. With the release of RHEL 7.9 and RHEL 8.7, SHA-2 will be used by default in RHEL 7 and RHEL 8 as well. Older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and earlier, or RHEL 8.6 and earlier, still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: ---- # update-crypto-policies --set DEFAULT:SHA1 ---- | .Anonymous PKINIT CMS messages are now signed with SHA-2 instead of SHA-1 Because the SHA-1 digest algorithm has been deprecated in RHEL 9, CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. With the release of RHEL 7.9 and RHEL 8.7, SHA-2 will be used by default in RHEL 7 and RHEL 8 as well. Older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and earlier, or RHEL 8.6 and earlier, still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. |
| CC | fhanzelk | |||
| errata-xmlrpc | 2022-05-17 00:49:34 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2022-05-17 15:54:14 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2022-05-17 15:54:14 UTC | |||
| errata-xmlrpc | 2022-05-17 15:54:54 UTC | Link ID | Red Hat Product Errata RHBA-2022:3951 | |
| Josip Vilicic | 2022-05-17 20:53:51 UTC | Doc Text | .Anonymous PKINIT CMS messages are now signed with SHA-2 instead of SHA-1 Because the SHA-1 digest algorithm has been deprecated in RHEL 9, CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. With the release of RHEL 7.9 and RHEL 8.7, SHA-2 will be used by default in RHEL 7 and RHEL 8 as well. Older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and earlier, or RHEL 8.6 and earlier, still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. | .Anonymous PKINIT CMS messages are now signed with SHA-2 The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. While SHA-2 will be used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. |
| Pasi Karkkainen | 2022-05-27 12:25:02 UTC | CC | pasik | |
| Trivino | 2022-09-05 15:30:50 UTC | Blocks | 2124308 | |
| Trivino | 2022-09-05 15:33:48 UTC | Blocks | 2124310 | |
| Julien Rische | 2022-09-09 08:34:11 UTC | Summary | SHA-1 no longer available for CMS digest during anonymous PKINIT | SHA-1 no longer available for CMS digest during PKINIT |
| Filip Hanzelka | 2022-09-14 09:51:24 UTC | Doc Text | .Anonymous PKINIT CMS messages are now signed with SHA-2 The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. While SHA-2 will be used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest algorithm to sign CMS messages. If you need interoperability with these older KDCs, enable support for the SHA-1 algorithm on your RHEL 9 servers with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. | .Anonymous PKINIT CMS messages are now signed with SHA-2 The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. While SHA-2 will be used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest algorithm to sign CMS messages. So does the Active Directory (AD) KDC. If you need interoperability with these older RHEL KDCs or with an AD KDC, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. |
| Filip Hanzelka | 2022-09-19 08:12:40 UTC | Doc Type | Enhancement | Known Issue |
| Doc Text | .Anonymous PKINIT CMS messages are now signed with SHA-2 The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for anonymous PKINIT are now signed with the stronger SHA-2 algorithm. While SHA-2 will be used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest algorithm to sign CMS messages. So does the Active Directory (AD) KDC. If you need interoperability with these older RHEL KDCs or with an AD KDC, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. | .The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against older RHEL KDCs and AD KDCs The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm. While SHA-256 is used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest algorithm to sign CMS messages. So does the Active Directory (AD) KDC. As a result, RHEL 9 Kerberos clients fail to authenticate users using PKINIT against the following: * KDCs running on RHEL 7.8 and earlier * KDCs running on RHEL 8.6 and earlier * AD KDCs To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. |
||
| Gabi Fialová | 2022-09-21 12:20:23 UTC | CC | gfialova | |
| Filip Hanzelka | 2022-09-23 21:42:22 UTC | Doc Text | .The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against older RHEL KDCs and AD KDCs The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm. While SHA-256 is used by default starting with RHEL 7.9 and RHEL 8.7, older Kerberos Key Distribution Centers (KDCs) on RHEL 7.8 and RHEL 8.6 and earlier still use the SHA-1 digest algorithm to sign CMS messages. So does the Active Directory (AD) KDC. As a result, RHEL 9 Kerberos clients fail to authenticate users using PKINIT against the following: * KDCs running on RHEL 7.8 and earlier * KDCs running on RHEL 8.6 and earlier * AD KDCs To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. | .The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm. However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate smart card users against an AD KDC. To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. |
| Filip Hanzelka | 2022-09-26 14:13:17 UTC | Doc Text | .The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm. However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate smart card users against an AD KDC. To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- See also xref:BZ-2068935[]. | .The DEFAULT:SHA1 sub-policy has to be set on RHEL 9 clients for PKINIT to work against AD KDCs The SHA-1 digest algorithm has been deprecated in RHEL 9, and CMS messages for Public Key Cryptography for initial authentication (PKINIT) are now signed with the stronger SHA-256 algorithm. However, the Active Directory (AD) Kerberos Distribution Center (KDC) still uses the SHA-1 digest algorithm to sign CMS messages. As a result, RHEL 9 Kerberos clients fail to authenticate users by using PKINIT against an AD KDC. To work around the problem, enable support for the SHA-1 algorithm on your RHEL 9 systems with the following command: [literal] ---- # update-crypto-policies --set DEFAULT:SHA1 ---- |
| Marco Rhodes | 2022-11-28 18:09:29 UTC | CC | mrhodes |
Back to bug 2060798