WinRM listener plugin creates sha1 self signed certificate which is no longer secure

cloudbase / cloudbase-init

Cross-platform instance initialization

http://openstack.org

Apache License 2.0

408 stars 149 forks source link

WinRM listener plugin creates sha1 self signed certificate which is no longer secure #123

Closed AndreasEichhorn closed 3 months ago

AndreasEichhorn commented 9 months ago

better to create sha256 certificates

changes should be in : "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\cryptoapi.py" line 141 szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11"

"C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\x509.py" line 198 sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA

ader1990 commented 9 months ago

Hello @AndreasEichhorn,

Thank you for the information, I will update the code accordingly. Do you happen to have a Microsoft link on this matter, as I have tried to find one and did not see anything related to the RDP, but just the generic move from SHA1 to SHA2.

Thank you.

AndreasEichhorn commented 9 months ago

Hello Adrian,

the szOID_RSA_SHA256RSA value is from https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier

The sha1 weakness is already longer known. You may have a look here: https://en.wikipedia.org/wiki/SHA-1#Attacks

msalmanmasood commented 8 months ago

Team,

which release of the cloudbase-init is updated with the latest code to support SHA-2?

Thanks.

damianbulira commented 6 months ago

+1 to this, some clients are removing their certificates on their own as this (SHA1) violates their security rules

tautzie commented 4 months ago

security dept is chasing me! please help :P

ader1990 commented 4 months ago

Hello,

Change with the fix was submitted to Gerrit here: https://review.opendev.org/c/x/cloudbase-init/+/910887. Would be nice to have someone test an installer with the fix before getting the change merged.

Thank you.

ader1990 commented 4 months ago

The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632

ader1990 commented 4 months ago

The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632

Tested on Windows Server 2019 and Windows 8.1, worked as expected.

ader1990 commented 3 months ago

Hello @tautzie, I would like to merge the change, can you also confirm that the fix works for you?