Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: 4.19.0
Affects Version/s: 4.17, 4.16.z, 4.18, 4.19
Component/s: Networking / router
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
5
Severity:
Moderate
Regression:
None

Target Backport Versions:

4.15
Target Version:

4.19.0
Release Blocker:
Rejected
Sprint:
NE Sprint 263, NE Sprint 264, NE Sprint 265, NI&D Sprint 266
sprint_count:
4

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, the HAProxy router incorrectly assumed that only SHA1 leaf certificates were rejected by HAProxy, causing the router to fail by not rejecting SHA1 intermediate certificates. With this update, the router now inspects and rejects all non-self-signed SHA1 certificates, thereby preventing crashes and improving stability for your cluster stability. (link:https://issues.redhat.com/browse/OCPBUGS-45290[~~OCPBUGS-45290~~])

Show
* Previously, the HAProxy router incorrectly assumed that only SHA1 leaf certificates were rejected by HAProxy, causing the router to fail by not rejecting SHA1 intermediate certificates. With this update, the router now inspects and rejects all non-self-signed SHA1 certificates, thereby preventing crashes and improving stability for your cluster stability. (link: https://issues.redhat.com/browse/OCPBUGS-45290 [ OCPBUGS-45290 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    Routes with SHA1 CA certificates (spec.tls.caCertificate) break HAProxy preventing reload

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    Always

Steps to Reproduce:

    1. create Route with SHA1 CA certificates
    2.
    3.

Actual results:

    HAProxy router fails to reload

Expected results:

    HAProxy router should either reject Routes with SHA1 CA certificates, or reload successfully

Additional info:

    [ALERT]    (312) : config : parsing [/var/lib/haproxy/conf/haproxy.config:131] : 'bind unix@/var/lib/haproxy/run/haproxy-sni.sock' in section 'frontend' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load chain certificate into SSL Context '/var/lib/haproxy/router/certs/test:test.pem': ca md too weak.

[ALERT]    (312) : config : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config

[ALERT]    (312) : config : Fatal errors found in configuration.

This is a continuation/variance of https://issues.redhat.com/browse/OCPBUGS-26498

blocks

OCPBUGS-49389 [4.18] Routes with SHA1 CA certificate break HAProxy reloading

Closed

is cloned by

OCPBUGS-49389 [4.18] Routes with SHA1 CA certificate break HAProxy reloading

Closed

is related to

OCPBUGS-47761 Router default of the default cert (default_pub_keys.pem) uses SHA1

Closed

relates to

OCPBUGS-26498 Router fails to start/reload with SHA1 cert due to OpenSSL 3.0 in RHEL9

Closed

links to

openshift/router#642: OCPBUGS-45290: Reject All CA-Signed Certs Using SHA1

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

(1 links to)

Assignee:: Grant Spence (Inactive)

Reporter:: Brendan Shirren

Need Info From:: None

Contributors:: None

QA Contact:: Shudi Li

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/12/03 3:28 AM

Updated:: 2025/09/13 7:30 PM

Resolved:: 2025/06/17 4:52 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide