[release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 #650

openshift-cherrypick-robot · 2025-02-02T08:48:24Z

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Previously, only SHA1 leaf certs were rejected. However, in 4.16, any SHA1 cert that is CA-signed (not self-signed) is unsupported. This led to cases were routes with SHA1 intermediate CA certs were accepted, but HAProxy rejects them. Self-signed SHA1 certificates (i.e. root CA) remain supported since they are not subject to verification. This update ensures all route certs, including the server, CA, and destination CA certs, are inspected, and any SHA1 cert that is not self-signed is rejected. Similar to SHA1, this fix also allows self-signed MD5 certificates which were incorrectly rejected previously. Additionally, explicitly reject DSA SHA1 certificates. While all DSA certificates are already rejected by the router, this change provides a clearer and more precise rejection error message. Lastly, explicitly reject MD2 certificates. Since MD2 certificates also cause HAProxy to fail to start, they should be explicitly rejected too.

openshift-ci-robot · 2025-02-02T08:48:28Z

@openshift-cherrypick-robot: Detected clone of Jira Issue OCPBUGS-45290 with correct target version. Will retitle the PR to link to the clone.
/retitle [release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1

In response to this:

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-02-02T08:48:42Z

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-49390, which is invalid:

expected dependent Jira Issue OCPBUGS-49389 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

candita · 2025-02-12T15:57:09Z

/assign

candita · 2025-02-12T20:43:48Z

/jira refresh

openshift-ci-robot · 2025-02-12T20:43:52Z

@candita: This pull request references Jira Issue OCPBUGS-49390, which is invalid:

expected dependent Jira Issue OCPBUGS-49389 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

candita · 2025-03-12T01:58:26Z

/jira refresh

openshift-ci-robot · 2025-03-12T01:58:33Z

@candita: This pull request references Jira Issue OCPBUGS-49390, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.17.z) matches configured target version for branch (4.17.z)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-49389 is in the state Closed (Done-Errata), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-49389 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
bug has dependents

Requesting review from QA contact:
/cc @ShudiLi

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

ShudiLi · 2025-03-14T03:40:59Z

tested it with 4.17.0-0.ci.test-2025-03-14-014945-ci-ln-9lhmi6k-latest

1.
% oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.17.0-0.ci.test-2025-03-14-014945-ci-ln-9lhmi6k-latest   True        False         57m     Cluster version is 4.17.0-0.ci.test-2025-03-14-014945-ci-ln-9lhmi6k-latest

2.
% oc -n test get route
NAME           HOST/PORT                  PATH   SERVICES      PORT   TERMINATION   WILDCARD
test-sha1-ca   ExtendedValidationFailed          unsec-apach   8080   edge          None

3.
% oc -n test get route test-sha1-ca -oyaml | grep -A5 status: 
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2025-03-14T03:38:16Z"
      message: 'spec.tls.caCertificate: Invalid value: "redacted ca certificate data":
        router does not support CA-signed certs using SHA1'
--
      status: "False"
      type: Admitted
    host: test-sha1-ca.apps.example.com
    routerCanonicalHostname: router-default.apps.ci-ln-9lhmi6k-72292.gcp-2.ci.openshift.org
    routerName: default
    wildcardPolicy: None

ShudiLi · 2025-03-14T03:41:21Z

/label qe-approved

openshift-ci-robot · 2025-03-14T03:41:27Z

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-49390, which is valid.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.17.z) matches configured target version for branch (4.17.z)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-49389 is in the state Closed (Done-Errata), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-49389 targets the "4.18.z" version, which is one of the valid target versions: 4.18.0, 4.18.z
bug has dependents

Requesting review from QA contact:
/cc @ShudiLi

In response to this:

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

candita · 2025-05-16T20:28:08Z

/lgtm
/approve

This is a clean backport. However, it's worth noting we will not be backporting this past 4.16, which results in the following behavior: versions 4.12-4.15 reject ALL MD5 certs (even though self-signed MD5 certs don't break HAProxy), whereas 4.16+ will allow self-signed MD5 certs. See details in https://github.com/openshift/router/pull/642/files#r1937407274.
The benefit of this backport in providing enhanced HAProxy stability outweighs any risk that might be introduced by the change in rejection of invalid certs.

/label backport-risk-assessed

openshift-ci · 2025-05-16T20:28:41Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [candita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

candita · 2025-05-16T20:29:17Z

/refresh

lihongan · 2025-05-19T01:02:44Z

/label cherry-pick-approved

openshift-ci · 2025-05-19T04:29:38Z

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot · 2025-05-19T04:32:10Z

@openshift-cherrypick-robot: Jira Issue OCPBUGS-49390: All pull requests linked via external trackers have merged:

openshift/router#650

Jira Issue OCPBUGS-49390 has been moved to the MODIFIED state.

In response to this:

This is an automated cherry-pick of #642

/assign openshift-ci-robot

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-bot · 2025-05-19T05:57:22Z

[ART PR BUILD NOTIFIER]

Distgit: ose-haproxy-router-base
This PR has been included in build ose-haproxy-router-base-container-v4.17.0-202505190535.p0.g1e29d8c.assembly.stream.el9.
All builds following this will include this PR.

openshift-bot · 2025-05-19T06:09:29Z

[ART PR BUILD NOTIFIER]

Distgit: openshift-enterprise-haproxy-router
This PR has been included in build openshift-enterprise-haproxy-router-container-v4.17.0-202505190535.p0.g1e29d8c.assembly.stream.el9.
All builds following this will include this PR.

openshift-merge-robot · 2025-05-23T14:42:30Z

Fix included in accepted release 4.17.0-0.nightly-2025-05-23-045753

openshift-cherrypick-robot assigned openshift-ci-robot Feb 2, 2025

openshift-cherrypick-robot mentioned this pull request Feb 2, 2025

OCPBUGS-45290: Reject All CA-Signed Certs Using SHA1 #642

Merged

openshift-ci bot changed the title ~~[release-4.17] OCPBUGS-45290: Reject All CA-Signed Certs Using SHA1~~ [release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 Feb 2, 2025

openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Feb 2, 2025

openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Feb 2, 2025

openshift-ci bot requested review from frobware and gcs278 February 2, 2025 08:48

gcs278 mentioned this pull request Feb 6, 2025

[release-4.15] OCPBUGS-49392: Block Upgrades in release 4.15 for CA-Signed Certs Using SHA1 openshift/cluster-ingress-operator#1172

Open

openshift-ci bot assigned candita Feb 12, 2025

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Mar 12, 2025

openshift-ci bot requested a review from ShudiLi March 12, 2025 01:58

openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Mar 14, 2025

openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label May 16, 2025

openshift-ci bot assigned lihongan, melvinjoseph86 and rhamini3 May 16, 2025

openshift-ci bot assigned ShudiLi May 16, 2025

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 16, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 16, 2025

openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label May 19, 2025

openshift-merge-bot bot merged commit 1e29d8c into openshift:release-4.17 May 19, 2025
8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 #650

[release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 #650

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 #650

[release-4.17] OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 #650

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!