crypto.py generates certs with SHA-1 digest

Bug #1516703 reported by Anna Sortland on 2015-11-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Unassigned

Bug Description

nova/crypto.py:generate_winrm_x509_cert() generates certs with default SHA-1 digest.

The call to 'openssl req' does not specify -digest option nor certificate config file sets digest, so certificates are generated with SHA-1 digest. SHA-1 is not considered to be a secure algorithm for certificates' digest.

It would be preferable to:
1) let user specify digest algorithm via a config option
2) default to SHA-256

Anna Sortland (annasort) on 2015-11-16
description: updated
Wenzhi Yu (yuywz) on 2015-11-17
Changed in nova:
assignee: nobody → Wen Zhi Yu (yuywz)
Wenzhi Yu (yuywz) wrote :

I think we do NOT need to introduce a new config option for specifying the digest algorithm. Since SHA-256 is considered to be a secure algorithm, we can just use SHA-256 when make "openssl req" call. This can make the code clean and simple.

Changed in nova:
status: New → In Progress
Sean Dague (sdague) on 2016-02-20
Changed in nova:
importance: Undecided → Medium
tags: added: security

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/246217
Reason: This patch is quite old, so I am abandoning it to keep the review queue manageable. Feel free to restore the change if you're still interested in working on it.

Maciej Szankin (mszankin) wrote :

This bug report has an assignee for a while now but there is no patch
for that. It looks like that the chance of getting a patch is low.
I'm going to remove the assignee to signal to others that they can take
over if they like.
If you want to work on this, please:
* add yourself as assignee AND
* set the status to "In Progress" AND
* provide a (WIP) patch within the next 2 weeks after that.
If you need assistance, reach out on the IRC channel #openstack-nova or
use the mailing list.

Also tagging as New. It is old and requires to be verified.

Changed in nova:
status: In Progress → New
assignee: Wenzhi Yu (yuywz) → nobody
Sean Dague (sdague) on 2017-06-08
tags: added: windows
Sean Dague (sdague) on 2017-06-28
Changed in nova:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers