Bug 54651 – preup.sh do not check server certificate if SHA1 is used.

Bug 54651 - preup.sh do not check server certificate if SHA1 is used.


Summary:	preup.sh do not check server certificate if SHA1 is used.

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Update - univention-updater
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-1-errata
Assigned To:	Juan Pedro Torres
QA Contact:	Philipp Hahn

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-04-07 10:34 CEST by Dirk Schnick
Modified:	2022-05-01 07:37 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022040721000266
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schnick

2022-04-07 10:34:48 CEST

An update test to UCS5 has revealed a major problem. The preupscript does not check if the server certificate is SHA1 signed. The update can be performed, but after the update slapd does not start anymore.
The preup.sh must test the server certificate to see if it complies.

Comment 3 Juan Pedro Torres

2022-04-29 14:46:24 CEST

univention-updater (15.0.3-71)
89f3bbf45df3 | Bug #54651: added SHA1 check before update

Comment 4 Philipp Hahn

2022-04-30 10:29:44 CEST

The change needs to go into dists/ucs500/preup.sh, which then needs to be re-signed; no errata to release.

The change is not needed for 5.0-1 as the check is too late there and we also already removed the check for the even older MD5.

REL='5.0-0'
SEC="$(repoq get "$REL" gpg_key_passphrase_file)"
KID="$(repoq get "$REL" gpg_key_id)"
repo-ng-sign-release-file  --passphrase "$SEC" --keyid "$KID" \
 --input test_mirror/ftp/dists/ucs500/preup.sh \
 --output test_mirror/ftp/dists/ucs500/preup.sh.gpg

slapd -f /etc/ldap/slapd.conf -h ldapi:/// -d Stats
…
TLS: could not use certificate `/etc/univention/ssl/m34.phahn.dev/cert.pem'.
TLS: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak ../ssl/ssl_rsa.c:310
626c1150 main: TLS init def ctx failed: -1

    ucr set ssl/default/hashfunction=sha1
    univention-certificate renew -name "$(hostname -f)" -days 365
    bash check.sh update_check_sha1_signature_is_used
    ucr set repository/online/server='http://apt.knut.univention.de/'
OK: univention-upgrade --ignoressh --ignoreterm # BLOCKED
    ucr set update50/ignore-sha1-check=yes
OK: univention-upgrade --ignoressh --ignoreterm # FAILS with slapd
    ucr set ssl/default/hashfunction=sha1
    univention-certificate renew -name "$(hostname -f)" -days 365
    ucr set repository/online/server=http://updates.knut.univention.de/
OK: univention-upgrade --ignoressh --ignoreterm # OKAY
    sudo update_mirror.sh 
    ucr set repository/online/server=https://updates.software-univention.de/
OK: univention-upgrade --ignoressh --ignoreterm # OKAY