This is a tracker bug for all uses of SHA-1 in oVirt. Ideally/eventually, each and every use should either be replaced (probably with SHA-256) or approved to be safe.
grep -irw 'sha1' in the engine sources finds 18 places, and at least 1-2 of them are not related to above and need separate decisions. Moving back to new.
Now grepped the engine sources for sha1|sha.1. Summary: - Remove old sha1 ticket code - python and java I think it's safe to do in a single patch, only in 4.5. I'll handle. - backend/manager/modules/uutils/src/main/java/org/ovirt/engine/core/uutils/crypto/EnvelopeEncryptDecrypt.java - backend/manager/modules/uutils/src/test/java/org/ovirt/engine/core/uutils/crypto/EnvelopePBETest.java Not sure, Martin? - backend/manager/modules/vdsbroker/src/main/java/org/ovirt/engine/core/vdsbroker/vdsbroker/MultipathHealthHandler.java Looks ok - uses sha1 only for preventing duplicate updates - backend/manager/sso-client-registration-tool/src/main/resources/org/ovirt/engine/ssoreg/core/arguments.properties Martin? - backend/manager/tools/src/main/resources/org/ovirt/engine/core/cryptotool/arguments.properties Martin? - packaging/setup/ovirt_engine_setup/remote_engine.py I think should be ok to change to SHA256, and anyway, it's not critical - it's signing only the CSR, not the actual eventual cert. - packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/config/iso_domain.py Remove the code completely, also nfs? We kept it functional, but only accessible via an answer file. No idea if someone uses it, but it was deprecated long ago. I think I'll handle, by removing. Should be ok for 4.5 IMO. - packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py Only used for showing a fingerprint to the user. I think it should be ok to change to SHA256. I'll handle.
With the linked patches, all items in comment 2 should be handled, other than those in which I asked Martin to have a look.
QE: Some flows relevant to the changes linked from this bug, other than normal sanity tests (new setups and upgrade from previous): - 118342: packaging: setup: Remove automatic iso domain creation Before 4.2.0, we used to ask about automatically creating an NFS ISO domain. See also bug 1332813. In 4.2.0, we stopped asking, but it was still possible to make engine-setup create one, e.g. using an answer-file generated by < 4.2, or by adding manually 'OVESETUP_SYSTEM/nfsConfigEnabled=bool:True'. So a relevant flow is to upgrade from such a system, and see if anything is severely affected by this change. E.g.: * Install 4.4 engine packages * engine-setup --otopi-environment=OVESETUP_SYSTEM/nfsConfigEnabled=bool:True * Upgrade to a fixed version (current 4.5) * engine-cleanup Even if there are remains of the nfs export, which should have been cleaned up if running engine-cleanup before the upgrade, not sure that's a bug, or that we'll handle it. But please check, and if you do, please document your findings. Thanks. - 118314: ticket: Remove SHA1-based signature support Affects ticket code, which is used by websocket-proxy and vmconsole. A relevant flow which might be affected: * Install and setup 4.4 (>= 4.4.6, see bug 1912691) engine and websocket-proxy on separate machines * Upgrade one of them to 4.5 and keep the other on 4.4 * Make sure websocket-proxy works well - can be used for novnc etc. I also now filed https://github.com/oVirt/ovirt-site/issues/2718 . - 118401: packaging: setup: More small SHA256 cleanups * Setup an engine and websocket-proxy and/or (dwh+)grafana on two or three separate machines.
Moving to infra to finish the stuff listed in comment #2
something like https://github.com/oVirt/ovirt-engine/pull/394 should cover engien side, needs a corresponding change in aaa-jdbc.
Moving to https://github.com/oVirt/ovirt-engine/issues/682