Bug 1954041

Summary:	Remove support for SHA-1 in ticket modules
Product:	[oVirt] ovirt-engine	Reporter:	Yedidyah Bar David <didi>
Component:	General	Assignee:	Yedidyah Bar David <didi>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Qin Yuan <qiyuan>
Severity:	medium	Docs Contact:
Priority:	low
Version:	4.4.5	CC:	bugs
Target Milestone:	ovirt-4.5.0	Keywords:	ZStream
Target Release:	4.5.0	Flags:	pm-rhel: ovirt-4.5? sbonazzo: planning_ack? pm-rhel: devel_ack+ pm-rhel: testing_ack+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ovirt-engine-4.5.0	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-04-22 15:06:04 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Integration	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1912687

Description Yedidyah Bar David 2021-04-27 13:50:05 UTC

Description of problem:

This is an addition to bug 1912689 and bug 1912691.

In order to not risk breaking stuff during the migration from SHA-1 to SHA-256, we kept both inside the generated tickets, so the older code can interoperate.

Opening this bug for removing SHA-1 support.

Comment 1 Sandro Bonazzola 2021-04-28 06:29:19 UTC

what if user upgrade from 4.4.4 to 4.4.7 after we removed sha-1 support?

Comment 2 Yedidyah Bar David 2021-04-28 07:10:56 UTC

(In reply to Sandro Bonazzola from comment #1)
> what if user upgrade from 4.4.4 to 4.4.7 after we removed sha-1 support?

This bug is about tickets. Tickets should have short lifetimes - IIUC we default to 5 seconds in the python code (and do not override the default), and in Java code do not have a default, and the only user is SignStringQuery.java, which uses WebSocketProxyTicketValiditySeconds (not sure this makes sense - didn't check if there are users of SignStringQuery other than websocket-proxy, but the name sounds more general), which defaults to 120 seconds.

This is a good question, though. I agree that we should either do some through testing of this flow, or target to 4.5 (or require upgrades to 4.4.7 to be from >= 4.4.6 - do not skip versions).

If we want to postpone removal further, perhaps we should at least add some noise when using SHA-1 - at least log warnings/errors, perhaps even optionally fail.

Comment 3 Qin Yuan 2022-04-22 02:36:41 UTC

Verified with:
4.5 versions:
ovirt-engine-4.5.0.2-0.7.el8ev.noarch
ovirt-engine-websocket-proxy-4.5.0.2-0.7.el8ev.noarch

4.4 versions:
ovirt-engine-4.4.10.7-0.4.el8ev.noarch
ovirt-engine-websocket-proxy-4.4.10.7-0.4.el8ev.noarch

Steps:
1. Check serial console on 4.5 engine
- create and run a VM with VirtIO serial console enabled
- generate ssh key, copy it to engine
- connect to the VM serial console, execute commands on the serial console

2. Check noVNC
Scenario 1: 
- Install and setup 4.5 engine and websocket-proxy on the same machine
- Check if noVNC works well

Scenario 2: 
- Install and setup 4.4 engine and websocket-proxy on separate machines
- Upgrade websocket-proxy to 4.5, keep engine on 4.4
- Check if noVNC works well

Scenario 3: 
- Install and setup 4.4 engine and websocket-proxy on separate machines
- Upgrade engine to 4.5, keep websocket-proxy on 4.4
- Check if noVNC works well

Results:
1. Can connect to VM serial console and run commands on it.
2. noVNC works fine in all three scenarios, new browser tab with noVNC session appears when clicking VM Console button, could run commands on the opened noVNC session.

Comment 4 Sandro Bonazzola 2022-04-22 15:06:04 UTC

This bugzilla is included in oVirt 4.5.0 release, published on April 20th 2022.

Since the problem described in this bug report should be resolved in oVirt 4.5.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.