New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WinRM listener plugin creates sha1 self signed certificate which is no longer secure #123
Comments
Hello @AndreasEichhorn, Thank you for the information, I will update the code accordingly. Thank you. |
Hello Adrian, the szOID_RSA_SHA256RSA value is from https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier The sha1 weakness is already longer known. You may have a look here: https://en.wikipedia.org/wiki/SHA-1#Attacks |
Team, which release of the cloudbase-init is updated with the latest code to support SHA-2? Thanks. |
+1 to this, some clients are removing their certificates on their own as this (SHA1) violates their security rules |
security dept is chasing me! please help :P |
Hello, Change with the fix was submitted to Gerrit here: https://review.opendev.org/c/x/cloudbase-init/+/910887. Would be nice to have someone test an installer with the fix before getting the change merged. Thank you. |
SHA1 is no longer secure and thus needs to be replaced by a secure algorithm, in this case SHA256. See: https://en.wikipedia.org/wiki/SHA-1#Attacks Fixes: cloudbase#123 Change-Id: Ib565b99116fe966421f57b6c1f3bf6d6b9589288 Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632 |
Tested on Windows Server 2019 and Windows 8.1, worked as expected. |
Hello @tautzie, I would like to merge the change, can you also confirm that the fix works for you? |
better to create sha256 certificates
changes should be in :
"C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\cryptoapi.py"
line 141
szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11"
"C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\x509.py"
line 198
sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA
The text was updated successfully, but these errors were encountered: