Project

General

Profile

Actions
Copy link

Bug #38506

open

katello-certs-check not working with SHA1 Root CA

Added by David Ochner 4 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
foreman-installer script
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Foreman - 3.14.0, Foreman - 3.14.1, Foreman - 3.15.0, Foreman - 3.15.1, Foreman - 3.16.0
Red Hat JIRA:

Description

I know why it blocks SHA1 but after some research I found out that the check is not covering all cases.
We use a custom CA Bundle which includes SHA1 Root CA and SHA 256 SUB CAs.

Foreman with Katello uses a Certificate which is created from one of the Sub CAs. Foreman is working correctly with this setup and after removing the SHA1 check
from the katello-certs-check I was able to update to Foreman 3.14 without a Problem.

I have tested, the in https://issues.redhat.com/browse/SAT-29322 mentioned test, `/opt/puppetlabs/puppet/bin/curl https://$(hostname -f)/rhsm/status --cacert /root/weak_ca/sha1/ca.crt` with our bundle which inludes SHA1 and SHA256 and did not get any error.
The used openssl lib seems to to check this correctly https://github.com/openssl/openssl/blob/3423c30db3aa044f46e1f0270e2ecd899415bf5f/crypto/x509/x509_vfy.c#L210

I think the SHA1 CA check must be reworked.

Actions
Copy link
 #1

Updated by David Ochner 4 days ago

  • Fixed in Releases deleted (3.14.1)
Actions
Copy link

Also available in: Atom PDF