Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/6.0] OpenSslX509ChainProcessor: ignore NotSignatureValid on last element. #70343

Merged
merged 1 commit into from
Jun 9, 2022
Merged

[release/6.0] OpenSslX509ChainProcessor: ignore NotSignatureValid on last element. #70343

merged 1 commit into from
Jun 9, 2022

Conversation

tmds
Copy link
Member

@tmds tmds commented Jun 7, 2022
edited by bartonjs
Loading

Backport of #69668 to release/6.0

Fixes: #65874 (comment)

Customer Impact

RHEL9's default crypto policy no longer accepts the use of RSA+SHA1 signatures.

Because .NET uses strict OpenSSL validation, it does not accept certain certificates, which are considered valid by other tools (like curl/wget). This causes websites like https://pkgs.dev.azure.com to no longer be accessible using HttpClient on RHEL9.

This change relaxes the validation so these certificates are trusted by .NET.

Testing

New tests are included as part of the change.

Risk

Low. The existing tests, combined with the new tests, give confidence to the scoped change. The version in main (and the backport) were authored by a Red Hat employee, so we feel that the new RHEL9 scenario has gotten about as good an eye as it could get.

@tmds
Copy link
Member Author

tmds commented Jun 7, 2022

@bartonjs feel free to improve my initial message.

@tmds
Copy link
Member Author

tmds commented Jun 7, 2022

cc @omajid

@ghost ghost added the community-contribution Indicates that the PR has been added by a community member label Jun 7, 2022
@ghost
Copy link

ghost commented Jun 7, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Backport of #69668 to release/6.0

Fixes: #65874 (comment)

Customer Impact

RHEL9 default crypto policy no longer accepts the use of RSA+SHA1 signatures.

Because .NET uses strict OpenSSL validation, it does not accept certain certificates, which are considered valid by other tools (like curl/wget). This causes websites like https://pkgs.dev.azure.com to no longer be accessible using HttpClient on RHEL9.

This change relaxes the validation so these certificates are trusted by .NET.

@bartonjs @vcsjones ptal.

Author: tmds
Assignees: -
Labels:

area-System.Security
Milestone: -

@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Jun 7, 2022
@bartonjs
Copy link
Member

bartonjs commented Jun 7, 2022

The failed legs are Helix warnings about queue deprecation, no tests failed.

@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Jun 7, 2022
@rbhanda rbhanda added this to the 6.0.7 milestone Jun 7, 2022
@carlossanlop
Copy link
Member

Servicing-approved label applied. Area owner signed off. CI passed with unrelated failures.
:shipit:

@carlossanlop carlossanlop merged commit 6f81e35 into dotnet:release/6.0 Jun 9, 2022
@hanneshayashi hanneshayashi mentioned this pull request Jun 22, 2022
Open
14 tasks
@dtivel dtivel mentioned this pull request Jul 8, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jul 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees
No one assigned
Labels
area-System.Security community-contribution Indicates that the PR has been added by a community member Servicing-approved Approved for servicing release
Projects
None yet
Milestone
6.0.7
Development

Successfully merging this pull request may close these issues.
4 participants
@tmds @bartonjs @carlossanlop @rbhanda