Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.16] OCPBUGS-49391: Reject All CA-Signed Certs Using SHA1 #651

Open
wants to merge 1 commit into
base: release-4.16
Choose a base branch
from
Open

[release-4.16] OCPBUGS-49391: Reject All CA-Signed Certs Using SHA1 #651

wants to merge 1 commit into from

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #642

/assign openshift-ci-robot

@gcs278
OCPBUGS-45290: Reject All CA-Signed Certs Using SHA1
04dd456 
Previously, only SHA1 leaf certs were rejected. However, in 4.16, any
SHA1 cert that is CA-signed (not self-signed) is unsupported. This led
to cases were routes with SHA1 intermediate CA certs were accepted, but
HAProxy rejects them. Self-signed SHA1 certificates (i.e. root CA)
remain supported since they are not subject to verification.

This update ensures all route certs, including the server, CA, and
destination CA certs, are inspected, and any SHA1 cert that is not
self-signed is rejected.

Similar to SHA1, this fix also allows self-signed MD5 certificates
which were incorrectly rejected previously.

Additionally, explicitly reject DSA SHA1 certificates. While all DSA
certificates are already rejected by the router, this change provides
a clearer and more precise rejection error message.

Lastly, explicitly reject MD2 certificates. Since MD2 certificates
also cause HAProxy to fail to start, they should be explicitly
rejected too.
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Feb 2, 2025
Merged
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: Detected clone of Jira Issue OCPBUGS-45290 with correct target version. Will retitle the PR to link to the clone.
/retitle [release-4.16] OCPBUGS-49391: Reject All CA-Signed Certs Using SHA1

In response to this:

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title [release-4.16] OCPBUGS-45290: Reject All CA-Signed Certs Using SHA1 [release-4.16] OCPBUGS-49391: Reject All CA-Signed Certs Using SHA1 Feb 2, 2025
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Feb 2, 2025
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-49391, which is invalid:

  • expected dependent Jira Issue OCPBUGS-49390 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is New instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from frobware and rfredette February 2, 2025 08:49
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 2, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Feb 2, 2025

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-serial 04dd456 link true /test e2e-aws-serial

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278 gcs278 mentioned this pull request Feb 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frobware frobware Awaiting requested review from frobware

@rfredette rfredette Awaiting requested review from rfredette

Assignees

@openshift-ci-robot openshift-ci-robot

Labels
jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@openshift-cherrypick-robot @openshift-ci-robot @gcs278