Bug 1908331

Summary: net-snmp-cert gencert creates an obsolete SHA1 certificate
Product: Red Hat Enterprise Linux 8 Reporter: Graham Leggett <minfrin>
Component: net-snmpAssignee: Josef Ridky <jridky>
Status: CLOSED ERRATA QA Contact: Evgeny Fedin <efedin>
Severity: unspecified Docs Contact: Šárka Jana <sjanderk>
Priority: unspecified    
Version: 8.6CC: efedin, jharuda, jridky, sjanderk
Target Milestone: rcKeywords: Patch, Triaged, Upstream
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: net-snmp-5.8-23.el8 Doc Type: Enhancement
Doc Text:
.The `net-snmp-cert gencert` tool now uses the SHA512 encryption algorithm instead of SHA1 In order to increase security, the `net-snmp-cert gencert` tool has been updated to generate certificates using SHA512 encryption algorithm by default.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:20:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2020-12-16 12:44:43 UTC 
Description of problem:

The "net-snmp-cert gencert" tool generates certificates signed by obsolete SHA1.

Version-Release number of selected component (if applicable):

net-snmp-perl-1:5.8-17.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Generate a server certificate:

[root@localhost ~]# net-snmp-cert gencert -I -t snmpd -n hostname.example.com --san DNS:snmpd.example.com
Certificate Generated:
  certs/snmpd.crt
  private/snmpd.key

2. View the certificate generated:

[root@localhost tls]# openssl x509 -text -in /etc/snmp/tls/certs/snmpd.crt

Actual results:

Signature Algorithm: sha1WithRSAEncryption

Expected results:

SHA256 at least.

Additional info:

Client certificate has the same problem:

net-snmp-cert gencert -I -t manager -n joecool --san email:cooljoe.com
Comment 1 Graham Leggett 2020-12-16 12:54:23 UTC 
Reported upstream.

https://github.com/net-snmp/net-snmp/issues/231
Comment 2 Josef Ridky 2021-03-31 06:19:07 UTC 
Patch available https://github.com/net-snmp/net-snmp/commit/a9cf25db7e3e969dbcd9bda9a16457db6fc7210f

@efedin is it manageable to have this fix in RHEL-8.5.0?
Comment 3 Josef Ridky 2021-07-27 14:04:00 UTC 
Moving to RHEL-8.6.0.

@efedin please review
Comment 5 Josef Ridky 2021-10-11 07:42:53 UTC 
Commit: http://pkgs.devel.redhat.com/cgit/rpms/net-snmp/commit/?h=rhel-8.6.0&id=c796beaebd0091bf9289e36b95be6c440846fe1c
Build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1756934
Comment 15 errata-xmlrpc 2022-05-10 15:20:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (net-snmp bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2023