Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: None
Affects Version/s: 4.17, 4.16.z, 4.18, 4.19
Component/s: Networking / router
Labels:

Severity:
Moderate
Regression:
None
Story Points:
1
Sprint:
NI&D Sprint 268
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the router incorrectly assumed that only `SHA1` leaf certificates were rejected by HAProxy. This caused the router to fail as it rejected `SHA1` intermediate certificates. With this release, the router now inspects all non-self-signed certificates and rejects any that use `SHA1`. The router no longer crashes because of the existence of `SHA1` intermediate certificates. Self-signed `SHA1` certificates are no longer rejected. Root CAs can continue to use `SHA1`. (link:https://issues.redhat.com/browse/OCPBUGS-49389[*~~OCPBUGS-49389~~*])

Show
* Previously, the router incorrectly assumed that only `SHA1` leaf certificates were rejected by HAProxy. This caused the router to fail as it rejected `SHA1` intermediate certificates. With this release, the router now inspects all non-self-signed certificates and rejects any that use `SHA1`. The router no longer crashes because of the existence of `SHA1` intermediate certificates. Self-signed `SHA1` certificates are no longer rejected. Root CAs can continue to use `SHA1`. (link: https://issues.redhat.com/browse/OCPBUGS-49389 [* OCPBUGS-49389 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.18.z
Target Backport Versions:

4.15

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue OCPBUGS-45290. The following is the description of the original issue:
—
Description of problem:

    Routes with SHA1 CA certificates (spec.tls.caCertificate) break HAProxy preventing reload

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    Always

Steps to Reproduce:

    1. create Route with SHA1 CA certificates
    2.
    3.

Actual results:

    HAProxy router fails to reload

Expected results:

    HAProxy router should either reject Routes with SHA1 CA certificates, or reload successfully

Additional info:

    [ALERT]    (312) : config : parsing [/var/lib/haproxy/conf/haproxy.config:131] : 'bind unix@/var/lib/haproxy/run/haproxy-sni.sock' in section 'frontend' : 'crt-list' : error processing line 1 in file '/var/lib/haproxy/conf/cert_config.map' : unable to load chain certificate into SSL Context '/var/lib/haproxy/router/certs/test:test.pem': ca md too weak.

[ALERT]    (312) : config : Error(s) found in configuration file : /var/lib/haproxy/conf/haproxy.config

[ALERT]    (312) : config : Fatal errors found in configuration.

This is a continuation/variance of https://issues.redhat.com/browse/OCPBUGS-26498

blocks

OCPBUGS-49390 [4.17] Routes with SHA1 CA certificate break HAProxy reloading

POST

clones

OCPBUGS-45290 [4.19] Routes with SHA1 CA certificate break HAProxy reloading

Verified

is blocked by

OCPBUGS-45290 [4.19] Routes with SHA1 CA certificate break HAProxy reloading

Verified

is cloned by

OCPBUGS-49390 [4.17] Routes with SHA1 CA certificate break HAProxy reloading

POST

links to

openshift/router#649: [release-4.18] OCPBUGS-49389: Reject All CA-Signed Certs Using SHA1

RHBA-2025:1904 OpenShift Container Platform 4.18.z bug fix update

(1 links to)

Assignee:: Miciah Masters

Reporter:: OpenShift Prow Bot

QA Contact:: Shudi Li

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/01/27 9:03 PM

Updated:: 2025/03/17 10:24 PM

Resolved:: 2025/03/04 5:12 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates