Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353938 - firefox complains about apache certificate signed with SHA1 key
Summary: firefox complains about apache certificate signed with SHA1 key
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer
Version: 570
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Jan Dobes
QA Contact: Lukáš Hellebrandt
URL:
Whiteboard:
Depends On:
Blocks: 1340444
TreeView+ depends on / blocked
 
Reported: 2016-07-08 13:11 UTC by Jan Hutař
Modified: 2017-06-21 12:11 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-21 12:11:14 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jan Hutař 2016-07-08 13:11:37 UTC
Description of problem:
firefox complains about apache certificate signed with SHA1 key


Version-Release number of selected component (if applicable):
installed from 5.7.0 ISO, currently on spacewalk-certs-tools-2.3.0-5.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1. # grep 'Signature Algorithm' /etc/pki/tls/certs/spacewalk.crt
      Signature Algorithm: sha1WithRSAEncryption
      Signature Algorithm: sha1WithRSAEncryption


Actual results:
SHA1 used


Expected results:
SHA256 used


Additional info:
You can get same warning via Firefox -> F12 -> switch to Console tab -> refresh page -> notice red warning:

  This site makes use of a SHA-1 Certificate; it's recommended you use
  certificates with signature algorithms that use hash functions stronger
  than SHA-1.[Learn More]

Also, should we have some upgrade instructions as well?

Comment 1 Tomas Lestach 2016-07-08 13:17:41 UTC
this has been fixed in upstream ...

spacewalk.git: 525f1590e78202641d828b2380af5c90415741c5

For more info, see http://post-office.corp.redhat.com/archives/satellite-tech-list/2016-July/msg00024.html

Marking as MODIFIED.

Comment 4 Lukáš Hellebrandt 2017-01-11 12:49:17 UTC
Verified FOR VERSION 5.8 with compose Satellite-5.8-RHEL-6-20170110.n.0-Satellite-x86_64-dvd1.iso.

After installing a clean Satellite, Firefox does not warn about SHA1 certificate being used (as it is not).

# grep 'Signature Algorithm' /etc/pki/tls/certs/spacewalk.crt
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption


After upgrading from some old Satellite, it still does warn which is expected.

# grep 'Signature Algorithm' /etc/pki/tls/certs/spacewalk.crt
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption


Note You need to log in before you can comment on or make changes to this bug.