Bug 55596 – preup.sh and pre-update-checks-5.0-0 don't check ucs-sso cert for weak CA signature digest algorithm

Bug 55596 - preup.sh and pre-update-checks-5.0-0 don't check ucs-sso cert for weak CA signature digest algorithm


Summary:	preup.sh and pre-update-checks-5.0-0 don't check ucs-sso cert for weak CA sig...

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Update - Release updates
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	53013
Blocks:
	Show dependency tree / graph

Reported:	2023-01-25 15:32 CET by Arvid Requate
Modified:	2023-01-25 15:32 CET (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.143
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022122021000252
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2023-01-25 15:32:46 CET

During the update from UCS 4.4-9 to UCS 5.0-0 this error message causes problems during the update:
=======
Try to download idp metadata (60/60)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: CA signature digest algorithm too weak
More details here: https://curl.haxx.se/docs/sslcerts.html
=======

I guess it's univention-saml trying to download the idp metadata file and curl detects Bug #53013 but for the "ucs-sso.$domainname".

The pre-update check function update_check_sha1_signature_is_used only checks the certificate of the host (primary in this case), but not the cert for ucs-sso.