Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.17, 4.16.z, 4.18, 4.19
Component/s: Networking / router
Labels:

Severity:
Moderate
Regression:
None
Sprint:
NE Sprint 263, NE Sprint 264, NE Sprint 265, NI&D Sprint 266
sprint_count:
4
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
*Cause*: The router incorrectly assumed that only SHA1 leaf certificates were rejected by HAProxy.
*Consequence*: The router failed to reject SHA1 intermediate certificates causing HAProxy to fail.
*Fix*: The router now inspects all non-self-signed certificates and rejects any that use SHA1.
*Result*: The router no longer crashes due to SHA1 intermediate certificates, and self-signed SHA1 certificates are no longer rejected. Root CAs can continue to use SHA1.

Show
*Cause*: The router incorrectly assumed that only SHA1 leaf certificates were rejected by HAProxy. *Consequence*: The router failed to reject SHA1 intermediate certificates causing HAProxy to fail. *Fix*: The router now inspects all non-self-signed certificates and rejects any that use SHA1. *Result*: The router no longer crashes due to SHA1 intermediate certificates, and self-signed SHA1 certificates are no longer rejected. Root CAs can continue to use SHA1.
Release Note Type:
Bug Fix
Release Note Status:
In Progress
Target Version:

4.19.0
Target Backport Versions:

4.15

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Description of problem:

    Routes with SHA1 CA certificates (spec.tls.caCertificate) break HAProxy preventing reload

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    Always

Steps to Reproduce:

    1. create Route with SHA1 CA certificates
    2.
    3.

Actual results:

    HAProxy router fails to reload

Expected results:

    HAProxy router should either reject Routes with SHA1 CA certificates, or reload successfully

Additional info:

    [ALERT]    (312) : config : parsing [/var/lib/haproxy/conf/haproxy.config:131] : 'bind unix@/var/lib/haproxy/run/haproxy-sni.sock' in section 'frontend' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load chain certificate into SSL Context '/var/lib/haproxy/router/certs/test:test.pem': ca md too weak.

[ALERT]    (312) : config : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config

[ALERT]    (312) : config : Fatal errors found in configuration.

This is a continuation/variance of https://issues.redhat.com/browse/OCPBUGS-26498

blocks

OCPBUGS-49389 [4.18] Routes with SHA1 CA certificate break HAProxy reloading

POST

is cloned by

OCPBUGS-49389 [4.18] Routes with SHA1 CA certificate break HAProxy reloading

POST

is related to

OCPBUGS-47761 Router default of the default cert (default_pub_keys.pem) uses SHA1

Verified

relates to

OCPBUGS-26498 Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

Closed

links to

openshift/router#642: OCPBUGS-45290: Reject All CA-Signed Certs Using SHA1

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

(1 links to)

Assignee:: Grant Spence

Reporter:: Brendan Shirren

QA Contact:: Shudi Li

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/12/03 3:28 AM

Updated:: 2025/02/17 6:13 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates