Bug 1605657

Summary: [RFE] Add SHA256 support to Apache
Product: Red Hat CloudForms Management Engine Reporter: Ryan Spagnola <rspagnol>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED DUPLICATE QA Contact: Dave Johnson <dajohnso>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.9.0CC: abellott, jdennis, jocarter, jvlcek, lavenel, obarenbo, pasik
Target Milestone: GAKeywords: FutureFeature, RFE
Target Release: cfme-future   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
5.10.1
Last Closed: 2019-06-28 19:47:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1295472    
Bug Blocks:    

Description Ryan Spagnola 2018-07-20 16:26:14 UTC 
Description of problem:
Customer is using SAML authentication by way of Microsoft ADFS as an identity provider. The workaround solution is to use SHA-1 (less secure) instead of SHA-256. Requesting that SHA256 support to mod_mellon to be included with CFME in order to accomodate SAML/SHA256 auth.

Version-Release number of selected component (if applicable):
5.9.2.4

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Blocked by this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1295472
Comment 2 Joe Vlcek 2018-08-27 18:23:41 UTC 
Adding SHA-256 signature support is an open issue for mod_auth_mellon
See: https://github.com/Uninett/mod_auth_mellon/issues/60

This mod_auth_mellon issue needs to be resolved before CFME can expose it.
Comment 3 Loic Avenel 2019-01-25 12:32:43 UTC 
(In reply to Joe Vlcek from comment #2)
> Adding SHA-256 signature support is an open issue for mod_auth_mellon
> See: https://github.com/Uninett/mod_auth_mellon/issues/60
> 
> This mod_auth_mellon issue needs to be resolved before CFME can expose it.

Joe, can I get an update here?
Comment 4 Joe Vlcek 2019-01-25 12:41:49 UTC 
(In reply to Loic Avenel from comment #3)
> (In reply to Joe Vlcek from comment #2)
> > Adding SHA-256 signature support is an open issue for mod_auth_mellon
> > See: https://github.com/Uninett/mod_auth_mellon/issues/60
> > 
> > This mod_auth_mellon issue needs to be resolved before CFME can expose it.
> 
> Joe, can I get an update here?

Loic,

We cannot support SHA256 in Apache until this mod_auth_mellon issue is resolved.
https://github.com/Uninett/mod_auth_mellon/issues/60#

I have requested an ETA on the issue.

JoeV
Comment 5 Loic Avenel 2019-06-20 17:45:43 UTC 
Joe, I don't see any movement mod_auth_mellon issue here ? 
What can we do?
Comment 6 Joe Vlcek 2019-06-21 18:27:08 UTC 
(In reply to Loic Avenel from comment #5)
> Joe, I don't see any movement mod_auth_mellon issue here ? 
> What can we do?

Loic,

I will investigate.

Since the last update some work has been done to mod_auth_mellon which may
provide the requested support.

I'll leave the . NEEDSINFO flag set while I am investigating.

JoeV
Comment 7 John Dennis 2019-06-21 21:36:20 UTC 
I added support to mellon for SHA-256 a year and a half ago in the following upstream commit.
It first appeared in upstream 14.0. mod_auth_mellon-14.0 was built for RHEL-7 a year ago
in June of 2018 (sorry, don't recall the exact RHEL update). This is the first time I've
seen this bug, I was the mod_auth_mellon maintainer during this period, maintainership
recently was transferred to Jakub Hrozek <jhrozek>

commit 9b17e5c1078a9be90de1e9d03079b34ca4056e96 (origin/sign_alg)
Author: John Dennis <jdennis>
Date:   Thu Jan 11 13:05:26 2018 -0500

    Add MellonSignatureMethod to control signature algorithm
    
    Previously there was no way to control the signature algorithm used
    when Mellon signed it's SAML messages. It simply defaulted to whatever
    the default was in the LassoServer server object. Currently the lasso
    default is LASSO_SIGNATURE_METHOD_RSA_SHA1. Some IdP's require a
    different or more secure method (e.g. ADFS). This patch allows
    controlling the signature method on a per directory basis via the
    MellonSignatureMethod configuration directive.
    
    It currently supports the following configuration values which map to
    these Lasso enumerated constants (provided these definition exist in
    Lasso):
    
    rsa-sha1:    LASSO_SIGNATURE_METHOD_RSA_SHA1
    rsa-sha256:  LASSO_SIGNATURE_METHOD_RSA_SHA256
    rsa-sha384:  LASSO_SIGNATURE_METHOD_RSA_SHA384
    rsa-sha512:  LASSO_SIGNATURE_METHOD_RSA_SHA512
    
    configure.ac was modified to test for the existence of the above
    Lasso definitions, support is only compiled into Mellon if they
    are defined at build time.
    
    Important: This patch also changes the default used by Mellon from
    rsa-sha1 to rsa-sha256. This was done because SHA1 is no longer
    considered safe, SHA256 is now the current recommendation.
    
    The patch also includes a few corrections in the diagnostics code
    where it failed to use CFG_VALUE. Also fixed the diagnostics code when
    an unknown value was encounted to print what that unknown value was.
    
    Signed-off-by: John Dennis <jdennis>
Comment 8 Joe Vlcek 2019-06-28 19:47:38 UTC 
As John Dennis points out in the above comment the newer version of mod_auth_mellon now supports SHA-256 and it does it as the default.

"Important: This patch also changes the default used by Mellon from
    rsa-sha1 to rsa-sha256. This was done because SHA1 is no longer
    considered safe, SHA256 is now the current recommendation."

I have tested the latest upstream ManageIQ build, which contains mod_auth_mellon version 0.14.0-2.el7_6.4
I see in the apache ssl_request.log  "ECDHE-RSA-AES128-GCM-SHA256".

So I am marking this BZ closed at a duplicate of:
 
BZ 1295472 - mod_auth_mellon not working with SHA-256 ADFS

*** This bug has been marked as a duplicate of bug 1295472 ***