[release-4.15] OCPBUGS-49392: Block Upgrades for CA-Signed Certs Using SHA1 #1172
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
jira/severity-moderate
|
Skipping CI for Draft Pull Request. |
openshift-ci-robot
added
the
jira/valid-reference
|
@gcs278: This pull request references Jira Issue OCPBUGS-45290, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/invalid-bug
gcs278
force-pushed
the
block-upgrades-intermediate-sha1
branch
from
6bf324d to
bfdfdf7
Compare
gcs278
changed the title
|
@gcs278: This pull request references Jira Issue OCPBUGS-45290, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
gcs278
changed the title
openshift-ci-robot
removed
jira/severity-moderate
|
@gcs278: No Jira issue is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
removed
the
jira/invalid-bug
gcs278
changed the title
openshift-ci-robot
added
jira/severity-moderate
|
@gcs278: This pull request references Jira Issue OCPBUGS-49392, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
gcs278
force-pushed
the
block-upgrades-intermediate-sha1
branch
from
bfdfdf7 to
031278b
Compare
gcs278
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/assign |
| switch cert.SignatureAlgorithm { | ||
| case x509.SHA1WithRSA, x509.ECDSAWithSHA1: | ||
| return fmt.Errorf("certificate in secret %s/%s has weak SHA1 signature algorithm: %s (see https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html#ocp-4-16-sha-haproxy-support-removed_release-notes for more details)", secret.Namespace, secret.Name, cert.SignatureAlgorithm) | ||
| case x509.SHA1WithRSA, x509.ECDSAWithSHA1, x509.DSAWithSHA1: |
There was a problem hiding this comment.
The commit message doesn't say anything about adding x509.DSAWithSHA1. Is this PR actually fixing two separate defects (first, the use of cert.IsCA instead of checking the signer; and second, the missing x509.DSAWithSHA1 case expression)?
There was a problem hiding this comment.
EDIT: Sorry, I thought I was in the router repo not CIO....let me rethink/adjust my answer. Keeping the one below because it actually applies to openshift/router#641
I added per this comment thread for the 4.19 fix. It wasn't really fixing anything new, as DSA was already rejected by the router. I decided to add it to provide a more precise error message about SHA1 not being supported rather than a more obscure Invalid value: "redacted key data": block PRIVATE KEY is not valid.
For this 4.15 upgrade blocker, I carried it over for completeness/consistency, but I suppose that since it's already rejected, it's a bit pointless to block upgrades for it and may cause an unnecessary upgrade blocker for someone that already has a DSA SHA1 cert that is rejected. I don't think anyone should be using DSA SHA1 at this point, but I suppose its better to be safe.
I'll remove it.
There was a problem hiding this comment.
Update: Sorry for the confusion here. My answer above actually applies to openshift/router#641 (I'll follow up over there). Here's what I should have said...
Is this PR actually fixing two separate defects (first, the use of cert.IsCA instead of checking the signer; and second, the missing x509.DSAWithSHA1 case expression)?
Short Answer: Yes, upon further reflection, it is fixing two things, which I should mention in the commit message(s).
Long Answer: Originally, for this PR, I added DSA SHA1 without thinking much about it. However, I did some testing for DSA SHA1, and it's nuanced, but we DO actually need to block upgrades with DSA SHA1 for CIO. Here's why:
- While openshift-router (not HAProxy) rejects DSA certificates because it doesn't have logic to parse them, the CIO allows cluster admins to create DSA SHA1 default certificates
- However, you can't use the K8S TLS secret object because it can't parse the DSA key and you get an error (I guess K8S doesn't support it?) but you can still use an opaque/generic secret:
oc create secret generic router-cert -n openshift-ingress --from-file=tls.key=dsa.key --from-file=tls.crt=dsa-combo.crt
- I tested a 4.15 router image with a DSA-SHA1 default cert, and it worked
- I tested a 4.16 router image with a DSA-SHA1 default cert, and it failed
In summary, I was unaware there was a path for users to use DSA certs in the default certificate on the IngressController. I do think we need to block upgrades in CIO with DSA-SHA1 in this PR, but not in the router PR because the router has always rejected DSA certs. It's an odd situation.
There was a problem hiding this comment.
I split the fixes two commit so I can clearly document each.
I'm not against splitting it out into another PR and/or bug if recommended, but it feels closely related enough I thought to keep it together for now.
|
Just to recap,
Right? |
Yup exactly. An unfortunate failure(s) on my part, which convicted me to do better and actually dig in and understand what/how/why OpenSSL is doing the rejections rather than just trying to observe them from the outside. I found the HAProxy code that throws the md too weak error and traced it into the OpenSSL library skipping checks for self-signed certs. And the fix here and in the router reflect how OpenSSL determines what constitutes a self-signed certificate. |
Previously, upgrades from 4.15 to 4.16 were only blocked for default leaf certs using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported. As a result, we were incorrectly allowing upgrades for SHA1 intermediate certificates, while blocking upgrades for self-signed SHA1 leaf certificates. This fix blocks upgrades to 4.16 for IngressControllers with default certificates containing CA-signed SHA1 certs. Root CA certs using SHA1 are still supported.
Previously, upgrades were not being blocked when default certificates used DSA SHA1. Although DSA certificates are rejected at the router level by our validation logic, they can still be used in a default certificate. In 4.15, DSA SHA1 certificates are allowed, but in 4.16, they are rejected by OpenSSL. This fix adds an upgrade blocker in the rare case that a user was using a DSA SHA1 default certificate.
gcs278
force-pushed
the
block-upgrades-intermediate-sha1
branch
from
031278b to
b457c4a
Compare
|
@gcs278: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thanks! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Great question. We don't maintain a baseline of performance for really anything in the router, but what I have done before is create a benchmark GO test, and compared the old logic to the new logic. I think performance is more of a concern with the router admitting routes vs. the CIO, but either way we still need to be cautious. At one point, I did benchmarking for an iteration of this change (mainly benchmarking the Now, at one point I was actually using the X509 validation function to validation each certificate against itself to detect if it was self-signed, and that was not negligible. If that was my current implementation, I would be more cautious and provide some hard benchmarking numbers. |
+1, we already parse the certificate, which is the costly part. Agreed, this isn't a major concern for the default certificate chain. It's more of a concern for the router, but we're already doing a lot of parsing, validation, and reserialization there. The main thing to look at is the added cost from the changes. |
gcs278
changed the title
Previously, upgrades from 4.15 to 4.16 were only blocked for default leaf certs using SHA1. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported. As a result, we were incorrectly allowing upgrades for SHA1 intermediate certificates, while blocking upgrades for self-signed SHA1 leaf certificates.
This fix blocks upgrades to 4.16 for IngressControllers with default certificates containing CA-signed SHA1 certs. Root CA certs using SHA1 are still supported.
Additional Fix For Blocking 4.15-->4.16 Upgrades for DSA SHA1 Default Certs:
Previously, upgrades were not being blocked when default certificates used DSA SHA1. Although DSA certificates are rejected at the router level by our validation logic, they can still be used in a default certificate. In 4.15, DSA SHA1 certificates are allowed, but in 4.16, they are rejected by OpenSSL. This fix adds an upgrade blocker in the rare case that a user was using a DSA SHA1 default certificate.