Univention Bugzilla – Bug 54651
preup.sh do not check server certificate if SHA1 is used.
Last modified: 2022-05-01 07:37:13 CEST
An update test to UCS5 has revealed a major problem. The preupscript does not check if the server certificate is SHA1 signed. The update can be performed, but after the update slapd does not start anymore. The preup.sh must test the server certificate to see if it complies.
univention-updater (15.0.3-71) 89f3bbf45df3 | Bug #54651: added SHA1 check before update
The change needs to go into dists/ucs500/preup.sh, which then needs to be re-signed; no errata to release. The change is not needed for 5.0-1 as the check is too late there and we also already removed the check for the even older MD5. REL='5.0-0' SEC="$(repoq get "$REL" gpg_key_passphrase_file)" KID="$(repoq get "$REL" gpg_key_id)" repo-ng-sign-release-file --passphrase "$SEC" --keyid "$KID" \ --input test_mirror/ftp/dists/ucs500/preup.sh \ --output test_mirror/ftp/dists/ucs500/preup.sh.gpg slapd -f /etc/ldap/slapd.conf -h ldapi:/// -d Stats … TLS: could not use certificate `/etc/univention/ssl/m34.phahn.dev/cert.pem'. TLS: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak ../ssl/ssl_rsa.c:310 626c1150 main: TLS init def ctx failed: -1 ucr set ssl/default/hashfunction=sha1 univention-certificate renew -name "$(hostname -f)" -days 365 bash check.sh update_check_sha1_signature_is_used ucr set repository/online/server='http://apt.knut.univention.de/' OK: univention-upgrade --ignoressh --ignoreterm # BLOCKED ucr set update50/ignore-sha1-check=yes OK: univention-upgrade --ignoressh --ignoreterm # FAILS with slapd ucr set ssl/default/hashfunction=sha1 univention-certificate renew -name "$(hostname -f)" -days 365 ucr set repository/online/server=http://updates.knut.univention.de/ OK: univention-upgrade --ignoressh --ignoreterm # OKAY sudo update_mirror.sh ucr set repository/online/server=https://updates.software-univention.de/ OK: univention-upgrade --ignoressh --ignoreterm # OKAY