Closed AndreasEichhorn closed 3 months ago
Hello @AndreasEichhorn,
Thank you for the information, I will update the code accordingly. Do you happen to have a Microsoft link on this matter, as I have tried to find one and did not see anything related to the RDP, but just the generic move from SHA1 to SHA2.
Thank you.
Hello Adrian,
the szOID_RSA_SHA256RSA value is from https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier
The sha1 weakness is already longer known. You may have a look here: https://en.wikipedia.org/wiki/SHA-1#Attacks
Team,
which release of the cloudbase-init is updated with the latest code to support SHA-2?
Thanks.
+1 to this, some clients are removing their certificates on their own as this (SHA1) violates their security rules
security dept is chasing me! please help :P
Hello,
Change with the fix was submitted to Gerrit here: https://review.opendev.org/c/x/cloudbase-init/+/910887. Would be nice to have someone test an installer with the fix before getting the change merged.
Thank you.
The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632
The MSI installer built with https://review.opendev.org/c/x/cloudbase-init/+/910887 can be downloaded from the artifacts tab here: https://github.com/ader1990/cloudbase-init-installer-1/actions/runs/8138619632
Tested on Windows Server 2019 and Windows 8.1, worked as expected.
Hello @tautzie, I would like to merge the change, can you also confirm that the fix works for you?
better to create sha256 certificates
changes should be in : "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\cryptoapi.py" line 141 szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11"
"C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\Lib\site-packages\cloudbaseinit\utils\windows\x509.py" line 198 sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA