Bug 1817346 - [UI] SHA1 fingerprint shown to the user for approval
Summary: [UI] SHA1 fingerprint shown to the user for approval
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ovirt-4.4.7
: 4.4.7
Assignee: eraviv
QA Contact: Michael Burman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-26 08:08 UTC by Juan Orti
Modified: 2021-07-22 15:12 UTC (History)
6 users (show)

Fixed In Version: ovirt-engine-4.4.7.2
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-22 15:12:18 UTC
oVirt Team: Network
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4930351 0 None None None 2020-03-26 08:30:05 UTC
Red Hat Product Errata RHSA-2021:2865 0 None None None 2021-07-22 15:12:56 UTC
oVirt gerrit 109285 0 master ABANDONED engine: use SHA-512 instead of SHA-1 2020-12-07 08:16:30 UTC
oVirt gerrit 115022 0 master MERGED engine: display SHA-256 for providers cert 2021-06-07 11:56:07 UTC

Description Juan Orti 2020-03-26 08:08:17 UTC
Description of problem:
When testing the connection to ovirt-provider-ovn, the SHA1 fingerprint of the CA certificate is shown to the user for approval, although all the certificates are signed with SHA256

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.8.2-0.4.el7.noarch
ovirt-web-ui-1.6.0-2.el7ev.noarch


How reproducible:


Steps to Reproduce:
1. Deploy new RHV 4.3.8 HostedEngine with ovirt-provider-ovn
2. Check that all certs are SHA256:

#!/bin/bash
names="engine apache websocket-proxy jboss imageio-proxy ovirt-provider-ovn"
for name in $names; do
    echo "### $name"
    openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -text -noout | grep -i "Signature Algorithm"
done
echo "### CA"
openssl x509 -in /etc/pki/ovirt-engine/ca.pem -text -noout | grep -i "Signature Algorithm"
echo "### Apache CA"
openssl x509 -in /etc/pki/ovirt-engine/apache-ca.pem -text -noout | grep -i "Signature Algorithm"
echo "### Trust store"
LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -v | grep -i "Signature Algorithm"    #(password: mypass)
echo "### External trust store"
LANG=C keytool -list -keystore /var/lib/ovirt-engine/external_truststore  -v | grep -i "Signature Algorithm"   #(password: changeit)

3. In RHV-M, go to Administration -> Providers -> ovirt-provider-ovn -> Edit -> Test button

Actual results:
The SHA1 of the CA cert is shown to the user for approval.

Expected results:
As the SHA1 algorithm is being deprecated, it makes sense not to use it anywhere.

Additional info:

Comment 1 Sharon Gratch 2020-05-21 11:29:14 UTC
This seems related to Networking so re-assigning

Comment 2 Dominik Holler 2020-05-26 13:35:19 UTC
Let's show the fingerprint and the algorithm of the certificate.

Comment 7 Michael Burman 2021-06-13 08:40:32 UTC
Verified on - rhvm-4.4.7.3-0.3.el8ev.noarch

Comment 13 errata-xmlrpc 2021-07-22 15:12:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2865


Note You need to log in before you can comment on or make changes to this bug.