Bug 2071615 - openssl SHA-1 sigalags no longer are offered in LEGACY
Summary: openssl SHA-1 sigalags no longer are offered in LEGACY
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: 36
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Alexander Sosedkin
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2022-04-04 11:19 UTC by Alexander Sosedkin
Modified: 2022-04-25 16:36 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-04-25 16:36:22 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-422 0 None None None 2022-04-04 11:20:46 UTC

Description Alexander Sosedkin 2022-04-04 11:19:40 UTC
I don't see SHA-1 in sigalgs on Fedora 36 LEGACY, which is likely a result of tightening openssl 3 SECLEVEL change.

Some of the options are:
1. WONTFIX, not cool because we do want SHA-1 in LEGACY going forward, even for F39
2. modify SECLEVEL=1 to include it, not cool because it's a deviation of upstream
3. introduce new control to enable SHA-1 in LEGACY,
   not cool because new control is kinda late to introduce post-F36 beta,
   but we'll need that for F37+ anyway.

Comment 1 Alexander Sosedkin 2022-04-04 12:21:57 UTC
related: bz2070977

Comment 2 Clemens Lang 2022-04-05 14:55:38 UTC
We'll probably go for #3 and backport the change in bz2070977 that we're going to do for f37 anyway.

Comment 3 Clemens Lang 2022-04-08 15:15:08 UTC
With https://bodhi.fedoraproject.org/updates/FEDORA-2022-d906a1fd24, crypto-policies needs to set rh-allow-sha1-signatures=yes and SECLEVEL=1 for SHA-1 to work.

Comment 4 Clemens Lang 2022-04-08 15:22:54 UTC
To clarify: rh-allow-sha1-signatures=yes and SECLEVEL=1 will allow SHA-1 in TLS. SHA-1 signatures will work outside of TLS with rh-allow-sha1-signatures=yes (or not set) and SECLEVEL=2.

Comment 5 Florian Apolloner 2022-04-19 07:44:25 UTC
I want to check if this patch helps with https://bugzilla.redhat.com/show_bug.cgi?id=2069239 -- how/where do I need to set rh-allow-sha1-signatures=yes to see if that might help (or is that the default now anyways)?

Comment 6 Clemens Lang 2022-04-19 10:34:32 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=2070977#c2. The default for rh-allow-sha1-signatures is yes on F36. I didn't check what crypto-policies currently sets on F36, but if it sets SECLEVEL=1, as I believe it does in LEGACY, that combination should already allow SHA-1 signatures in TLS.

Comment 7 Clemens Lang 2022-04-25 16:36:22 UTC
On F36 with crypto-policies 20220203-2.git112f859.fc36, update-crypto-policies --set LEGACY already sets SECLEVEL=1, and rh-allow-sha1-signatures=yes is the default, so this is fixed.

Note You need to log in before you can comment on or make changes to this bug.