Description of problem: Customer is using SAML authentication by way of Microsoft ADFS as an identity provider. The workaround solution is to use SHA-1 (less secure) instead of SHA-256. Requesting that SHA256 support to mod_mellon to be included with CFME in order to accomodate SAML/SHA256 auth. Version-Release number of selected component (if applicable): 5.9.2.4 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Blocked by this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1295472
Adding SHA-256 signature support is an open issue for mod_auth_mellon See: https://github.com/Uninett/mod_auth_mellon/issues/60 This mod_auth_mellon issue needs to be resolved before CFME can expose it.
(In reply to Joe Vlcek from comment #2) > Adding SHA-256 signature support is an open issue for mod_auth_mellon > See: https://github.com/Uninett/mod_auth_mellon/issues/60 > > This mod_auth_mellon issue needs to be resolved before CFME can expose it. Joe, can I get an update here?
(In reply to Loic Avenel from comment #3) > (In reply to Joe Vlcek from comment #2) > > Adding SHA-256 signature support is an open issue for mod_auth_mellon > > See: https://github.com/Uninett/mod_auth_mellon/issues/60 > > > > This mod_auth_mellon issue needs to be resolved before CFME can expose it. > > Joe, can I get an update here? Loic, We cannot support SHA256 in Apache until this mod_auth_mellon issue is resolved. https://github.com/Uninett/mod_auth_mellon/issues/60# I have requested an ETA on the issue. JoeV
Joe, I don't see any movement mod_auth_mellon issue here ? What can we do?
(In reply to Loic Avenel from comment #5) > Joe, I don't see any movement mod_auth_mellon issue here ? > What can we do? Loic, I will investigate. Since the last update some work has been done to mod_auth_mellon which may provide the requested support. I'll leave the . NEEDSINFO flag set while I am investigating. JoeV
I added support to mellon for SHA-256 a year and a half ago in the following upstream commit. It first appeared in upstream 14.0. mod_auth_mellon-14.0 was built for RHEL-7 a year ago in June of 2018 (sorry, don't recall the exact RHEL update). This is the first time I've seen this bug, I was the mod_auth_mellon maintainer during this period, maintainership recently was transferred to Jakub Hrozek <jhrozek> commit 9b17e5c1078a9be90de1e9d03079b34ca4056e96 (origin/sign_alg) Author: John Dennis <jdennis> Date: Thu Jan 11 13:05:26 2018 -0500 Add MellonSignatureMethod to control signature algorithm Previously there was no way to control the signature algorithm used when Mellon signed it's SAML messages. It simply defaulted to whatever the default was in the LassoServer server object. Currently the lasso default is LASSO_SIGNATURE_METHOD_RSA_SHA1. Some IdP's require a different or more secure method (e.g. ADFS). This patch allows controlling the signature method on a per directory basis via the MellonSignatureMethod configuration directive. It currently supports the following configuration values which map to these Lasso enumerated constants (provided these definition exist in Lasso): rsa-sha1: LASSO_SIGNATURE_METHOD_RSA_SHA1 rsa-sha256: LASSO_SIGNATURE_METHOD_RSA_SHA256 rsa-sha384: LASSO_SIGNATURE_METHOD_RSA_SHA384 rsa-sha512: LASSO_SIGNATURE_METHOD_RSA_SHA512 configure.ac was modified to test for the existence of the above Lasso definitions, support is only compiled into Mellon if they are defined at build time. Important: This patch also changes the default used by Mellon from rsa-sha1 to rsa-sha256. This was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation. The patch also includes a few corrections in the diagnostics code where it failed to use CFG_VALUE. Also fixed the diagnostics code when an unknown value was encounted to print what that unknown value was. Signed-off-by: John Dennis <jdennis>
As John Dennis points out in the above comment the newer version of mod_auth_mellon now supports SHA-256 and it does it as the default. "Important: This patch also changes the default used by Mellon from rsa-sha1 to rsa-sha256. This was done because SHA1 is no longer considered safe, SHA256 is now the current recommendation." I have tested the latest upstream ManageIQ build, which contains mod_auth_mellon version 0.14.0-2.el7_6.4 I see in the apache ssl_request.log "ECDHE-RSA-AES128-GCM-SHA256". So I am marking this BZ closed at a duplicate of: BZ 1295472 - mod_auth_mellon not working with SHA-256 ADFS *** This bug has been marked as a duplicate of bug 1295472 ***