1817346 – [UI] SHA1 fingerprint shown to the user for approval

Bug 1817346 - [UI] SHA1 fingerprint shown to the user for approval

Summary: [UI] SHA1 fingerprint shown to the user for approval

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.3.8
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	ovirt-4.4.7
Target Release:	4.4.7
Assignee:	eraviv
QA Contact:	Michael Burman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-26 08:08 UTC by Juan Orti
Modified:	2021-07-22 15:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ovirt-engine-4.4.7.2
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-22 15:12:18 UTC
oVirt Team:	Network
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	4930351	None	None	None	2020-03-26 08:30:05 UTC
Red Hat Product Errata	RHSA-2021:2865	None	None	None	2021-07-22 15:12:56 UTC
oVirt gerrit	109285	master	ABANDONED	engine: use SHA-512 instead of SHA-1	2020-12-07 08:16:30 UTC
oVirt gerrit	115022	master	MERGED	engine: display SHA-256 for providers cert	2021-06-07 11:56:07 UTC

Description Juan Orti 2020-03-26 08:08:17 UTC

Description of problem:
When testing the connection to ovirt-provider-ovn, the SHA1 fingerprint of the CA certificate is shown to the user for approval, although all the certificates are signed with SHA256

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.8.2-0.4.el7.noarch
ovirt-web-ui-1.6.0-2.el7ev.noarch


How reproducible:


Steps to Reproduce:
1. Deploy new RHV 4.3.8 HostedEngine with ovirt-provider-ovn
2. Check that all certs are SHA256:

#!/bin/bash
names="engine apache websocket-proxy jboss imageio-proxy ovirt-provider-ovn"
for name in $names; do
    echo "### $name"
    openssl x509 -in /etc/pki/ovirt-engine/certs/"${name}".cer -text -noout | grep -i "Signature Algorithm"
done
echo "### CA"
openssl x509 -in /etc/pki/ovirt-engine/ca.pem -text -noout | grep -i "Signature Algorithm"
echo "### Apache CA"
openssl x509 -in /etc/pki/ovirt-engine/apache-ca.pem -text -noout | grep -i "Signature Algorithm"
echo "### Trust store"
LANG=C keytool -list -keystore /etc/pki/ovirt-engine/.truststore -v | grep -i "Signature Algorithm"    #(password: mypass)
echo "### External trust store"
LANG=C keytool -list -keystore /var/lib/ovirt-engine/external_truststore  -v | grep -i "Signature Algorithm"   #(password: changeit)

3. In RHV-M, go to Administration -> Providers -> ovirt-provider-ovn -> Edit -> Test button

Actual results:
The SHA1 of the CA cert is shown to the user for approval.

Expected results:
As the SHA1 algorithm is being deprecated, it makes sense not to use it anywhere.

Additional info:

Comment 1 Sharon Gratch 2020-05-21 11:29:14 UTC

This seems related to Networking so re-assigning

Comment 2 Dominik Holler 2020-05-26 13:35:19 UTC

Let's show the fingerprint and the algorithm of the certificate.

Comment 7 Michael Burman 2021-06-13 08:40:32 UTC

Verified on - rhvm-4.4.7.3-0.3.el8ev.noarch

Comment 13 errata-xmlrpc 2021-07-22 15:12:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) security update [ovirt-4.4.7]), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2865

Note You need to log in before you can comment on or make changes to this bug.