Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WinRM listener plugin creates sha1 self signed certificate which is no longer secure #123

Closed
AndreasEichhorn opened this issue Sep 19, 2023 · 9 comments
Closed

WinRM listener plugin creates sha1 self signed certificate which is no longer secure #123

AndreasEichhorn opened this issue Sep 19, 2023 · 9 comments

Comments

@AndreasEichhorn
Copy link

better to create sha256 certificates

changes should be in :
"C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\cryptoapi.py"
line 141
szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11"

"C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\x509.py"
line 198
sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA
@ader1990
Copy link
Member

ader1990 commented Oct 9, 2023

Hello @AndreasEichhorn,

Thank you for the information, I will update the code accordingly.
Do you happen to have a Microsoft link on this matter, as I have tried to find one and did not see anything related to the RDP, but just the generic move from SHA1 to SHA2.

Thank you.

@AndreasEichhorn
Copy link
Author

Hello Adrian,

the szOID_RSA_SHA256RSA value is from https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier

The sha1 weakness is already longer known. You may have a look here: https://en.wikipedia.org/wiki/SHA-1#Attacks

@msalmanmasood
Copy link

Team,

which release of the cloudbase-init is updated with the latest code to support SHA-2?

Thanks.

@damianbulira
Copy link

+1 to this, some clients are removing their certificates on their own as this (SHA1) violates their security rules

@tautzie
Copy link

tautzie commented Mar 4, 2024

security dept is chasing me! please help :P

@ader1990
Copy link
Member

ader1990 commented Mar 4, 2024

Hello,

Change with the fix was submitted to Gerrit here: https://review.opendev.org/c/x/cloudbase-init/+/910887. Would be nice to have someone test an installer with the fix before getting the change merged.

Thank you.

ader1990 added a commit to ader1990/cloudbase-init-1 that referenced this issue Mar 4, 2024
@ader1990
winrmlistener: use sha2 instead of insecure sha1
70ce7a1 
SHA1 is no longer secure and thus needs to be replaced by
a secure algorithm, in this case SHA256.

See:
https://en.wikipedia.org/wiki/SHA-1#Attacks

Fixes: cloudbase#123

Change-Id: Ib565b99116fe966421f57b6c1f3bf6d6b9589288
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
@ader1990
Copy link
Member

ader1990 commented Mar 4, 2024
edited

The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632

@ader1990
Copy link
Member

ader1990 commented Mar 5, 2024

The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632

Tested on Windows Server 2019 and Windows 8.1, worked as expected.

@ader1990
Copy link
Member

Hello @tautzie, I would like to merge the change, can you also confirm that the fix works for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ader1990 @damianbulira @tautzie @msalmanmasood @AndreasEichhorn