Bug 1954041 - Remove support for SHA-1 in ticket modules
Summary: Remove support for SHA-1 in ticket modules
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: General
Version: 4.4.5
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ovirt-4.5.0
: 4.5.0
Assignee: Yedidyah Bar David
QA Contact: Qin Yuan
URL:
Whiteboard:
Depends On:
Blocks: 1912687
TreeView+ depends on / blocked
 
Reported: 2021-04-27 13:50 UTC by Yedidyah Bar David
Modified: 2022-04-22 15:06 UTC (History)
1 user (show)

Fixed In Version: ovirt-engine-4.5.0
Clone Of:
Environment:
Last Closed: 2022-04-22 15:06:04 UTC
oVirt Team: Integration
Embargoed:
pm-rhel: ovirt-4.5?
sbonazzo: planning_ack?
pm-rhel: devel_ack+
pm-rhel: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 118314 0 None MERGED ticket: Remove SHA1-based signature support 2022-01-30 15:09:54 UTC

Description Yedidyah Bar David 2021-04-27 13:50:05 UTC 
Description of problem:

This is an addition to bug 1912689 and bug 1912691.

In order to not risk breaking stuff during the migration from SHA-1 to SHA-256, we kept both inside the generated tickets, so the older code can interoperate.

Opening this bug for removing SHA-1 support.
Comment 1 Sandro Bonazzola 2021-04-28 06:29:19 UTC 
what if user upgrade from 4.4.4 to 4.4.7 after we removed sha-1 support?
Comment 2 Yedidyah Bar David 2021-04-28 07:10:56 UTC 
(In reply to Sandro Bonazzola from comment #1)
> what if user upgrade from 4.4.4 to 4.4.7 after we removed sha-1 support?

This bug is about tickets. Tickets should have short lifetimes - IIUC we default to 5 seconds in the python code (and do not override the default), and in Java code do not have a default, and the only user is SignStringQuery.java, which uses WebSocketProxyTicketValiditySeconds (not sure this makes sense - didn't check if there are users of SignStringQuery other than websocket-proxy, but the name sounds more general), which defaults to 120 seconds.

This is a good question, though. I agree that we should either do some through testing of this flow, or target to 4.5 (or require upgrades to 4.4.7 to be from >= 4.4.6 - do not skip versions).

If we want to postpone removal further, perhaps we should at least add some noise when using SHA-1 - at least log warnings/errors, perhaps even optionally fail.
Comment 3 Qin Yuan 2022-04-22 02:36:41 UTC 
Verified with:
4.5 versions:
ovirt-engine-4.5.0.2-0.7.el8ev.noarch
ovirt-engine-websocket-proxy-4.5.0.2-0.7.el8ev.noarch

4.4 versions:
ovirt-engine-4.4.10.7-0.4.el8ev.noarch
ovirt-engine-websocket-proxy-4.4.10.7-0.4.el8ev.noarch

Steps:
1. Check serial console on 4.5 engine
- create and run a VM with VirtIO serial console enabled
- generate ssh key, copy it to engine
- connect to the VM serial console, execute commands on the serial console

2. Check noVNC
Scenario 1: 
- Install and setup 4.5 engine and websocket-proxy on the same machine
- Check if noVNC works well

Scenario 2: 
- Install and setup 4.4 engine and websocket-proxy on separate machines
- Upgrade websocket-proxy to 4.5, keep engine on 4.4
- Check if noVNC works well

Scenario 3: 
- Install and setup 4.4 engine and websocket-proxy on separate machines
- Upgrade engine to 4.5, keep websocket-proxy on 4.4
- Check if noVNC works well

Results:
1. Can connect to VM serial console and run commands on it.
2. noVNC works fine in all three scenarios, new browser tab with noVNC session appears when clicking VM Console button, could run commands on the opened noVNC session.
Comment 4 Sandro Bonazzola 2022-04-22 15:06:04 UTC 
This bugzilla is included in oVirt 4.5.0 release, published on April 20th 2022.

Since the problem described in this bug report should be resolved in oVirt 4.5.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.