devstack

Devstack tls-proxy fails on newer OpenSSL versions

Bug #1962600 reported by Michael Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Fix Released
Undecided
Michael Johnson

Bug Description

When devstack is used with the tls-proxy service enabled, it will fail to create keys due to the use of SHA1. Recent versions of OpenSSL no longer allow SHA1 (including the one included in CentOS 9 Stream).

Devstack fails at:
+ lib/tls:make_int_CA:303 : /usr/bin/openssl req -config /opt/stack/data/CA/int-ca/ca.conf -sha1 -newkey rsa -nodes -keyout /opt/stack/data/CA/int-ca/private/cacert.key -out /opt/stack/data/CA/int-ca/cacert.csr -outform PEM

with:

801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:

Changing lib/tls to use SHA256 (the minimum recommended version) resolves the issue.

OpenStack Infra (hudson-openstack)
Changed in devstack:
status: New → In Progress
Revision history for this message
Michael Johnson (johnsom) wrote :

Existing proposed patch: https://review.opendev.org/c/openstack/devstack/+/831245

Changed in devstack:
assignee: nobody → Michael Johnson (johnsom)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (master)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/831245
Committed: https://opendev.org/openstack/devstack/commit/35bc600da17c7342345fa9c4d0b8078a8388fad1
Submitter: "Zuul (22348)"
Branch: master

commit 35bc600da17c7342345fa9c4d0b8078a8388fad1
Author: Michael Johnson <email address hidden>
Date: Mon Feb 28 18:42:34 2022 +0000

    Fix tls-proxy on newer versions of openssl

    Newer versions of openssl (CentOS9Stream for example) do not like using sha1.
    Devstack will fail on these systems[1] with the following error:
    801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
    This patch updates the tls-proxy code in devstack to use sha256 instead of sha1 which allows devstack to complete when tls-proxy is enabled.

    [1] https://zuul.opendev.org/t/openstack/build/1d90b22a39c74e24a8390861b3c5f957/log/job-output.txt#5535

    Closes-Bug: #1962600

    Change-Id: I71e1371affe32f070167037b0109a489d196bd31

Changed in devstack:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/devstack/+/848364

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/devstack/+/848365

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/848364
Committed: https://opendev.org/openstack/devstack/commit/89caa372884d5f0f988ba17b821df794e3d36d7e
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 89caa372884d5f0f988ba17b821df794e3d36d7e
Author: Michael Johnson <email address hidden>
Date: Mon Feb 28 18:42:34 2022 +0000

    Fix tls-proxy on newer versions of openssl

    Newer versions of openssl (CentOS9Stream for example) do not like using sha1.
    Devstack will fail on these systems[1] with the following error:
    801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
    This patch updates the tls-proxy code in devstack to use sha256 instead of sha1 which allows devstack to complete when tls-proxy is enabled.

    [1] https://zuul.opendev.org/t/openstack/build/1d90b22a39c74e24a8390861b3c5f957/log/job-output.txt#5535

    Closes-Bug: #1962600

    Change-Id: I71e1371affe32f070167037b0109a489d196bd31
    (cherry picked from commit 35bc600da17c7342345fa9c4d0b8078a8388fad1)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/848365
Committed: https://opendev.org/openstack/devstack/commit/c6604eb6b0700c4f8ba5b461691003593f1e5353
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit c6604eb6b0700c4f8ba5b461691003593f1e5353
Author: Michael Johnson <email address hidden>
Date: Mon Feb 28 18:42:34 2022 +0000

    Fix tls-proxy on newer versions of openssl

    Newer versions of openssl (CentOS9Stream for example) do not like using sha1.
    Devstack will fail on these systems[1] with the following error:
    801B93DCE77F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:333:
    This patch updates the tls-proxy code in devstack to use sha256 instead of sha1 which allows devstack to complete when tls-proxy is enabled.

    [1] https://zuul.opendev.org/t/openstack/build/1d90b22a39c74e24a8390861b3c5f957/log/job-output.txt#5535

    Closes-Bug: #1962600

    Change-Id: I71e1371affe32f070167037b0109a489d196bd31
    (cherry picked from commit 35bc600da17c7342345fa9c4d0b8078a8388fad1)

tags: added: in-stable-wallaby
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.