OpenStack Compute (nova)

crypto.py generates certs with SHA-1 digest

Bug #1516703 reported by Anna Sortland on 2015-11-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Confirmed	Medium	Unassigned

Bug Description

nova/crypto.py:generate_winrm_x509_cert() generates certs with default SHA-1 digest.

The call to 'openssl req' does not specify -digest option nor certificate config file sets digest, so certificates are generated with SHA-1 digest. SHA-1 is not considered to be a secure algorithm for certificates' digest.

It would be preferable to:
1) let user specify digest algorithm via a config option
2) default to SHA-256

See original description

Tags:

Anna Sortland (annasort) on 2015-11-16

description:

updated

Wenzhi Yu (yuywz) on 2015-11-17

Changed in nova:
assignee:	nobody → Wen Zhi Yu (yuywz)

Revision history for this message

Wenzhi Yu (yuywz) wrote on 2015-11-17:

I think we do NOT need to introduce a new config option for specifying the digest algorithm. Since SHA-256 is considered to be a secure algorithm, we can just use SHA-256 when make "openssl req" call. This can make the code clean and simple.

Changed in nova:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-17: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/246217

Sean Dague (sdague) on 2016-02-20

Changed in nova:
importance:	Undecided → Medium
tags:	added: security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-25: Change abandoned on nova (master)

Change abandoned by Michael Still (<email address hidden>) on branch: master
Review: https://review.openstack.org/246217
Reason: This patch is quite old, so I am abandoning it to keep the review queue manageable. Feel free to restore the change if you're still interested in working on it.

Revision history for this message

Maciej Szankin (mszankin) wrote on 2017-03-21:

This bug report has an assignee for a while now but there is no patch
for that. It looks like that the chance of getting a patch is low.
I'm going to remove the assignee to signal to others that they can take
over if they like.
If you want to work on this, please:
* add yourself as assignee AND
* set the status to "In Progress" AND
* provide a (WIP) patch within the next 2 weeks after that.
If you need assistance, reach out on the IRC channel #openstack-nova or
use the mailing list.

Also tagging as New. It is old and requires to be verified.

Changed in nova:
status:	In Progress → New
assignee:	Wenzhi Yu (yuywz) → nobody

Sean Dague (sdague) on 2017-06-08

tags:

added: windows

Sean Dague (sdague) on 2017-06-28

Changed in nova:
status:	New → Confirmed

Harshavardhan Metla (harsha24) on 2020-08-11

Changed in nova:
assignee:	nobody → Harshavardhan Metla (harsha24)

Harshavardhan Metla (harsha24) on 2020-09-11

Changed in nova:
assignee:	Harshavardhan Metla (harsha24) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.