[SERVER-43085] Regenerate all testing certificates with SHA-256 instead of SHA-1 Created: 29/Aug/19 Updated: 29/Oct/23 Resolved: 23/Oct/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 3.6.16, 4.3.1, 3.4.24, 4.2.2, 4.0.14 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Adam Cooper (Inactive) | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Debian GNU/Linux bullseye, openssl v1.1.1c |
||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Backport Requested: |
v4.2, v4.0, v3.6, v3.4
|
||||||||||||||||
| Sprint: | Security 2019-10-07, Security 2019-10-21, Security 2019-11-04 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Linked BF Score: | 40 | ||||||||||||||||
| Description |
|
On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead. This causes test failures. I discovered when testing kmip.js on my system, which failed with
See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context |
| Comments |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436) |
| Comment by Githook User [ 11/Nov/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436) |
| Comment by Githook User [ 11/Nov/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d) |
| Comment by Githook User [ 23/Oct/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: .pem certificates |
| Comment by Githook User [ 20/Oct/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: .pfx |
| Comment by Githook User [ 18/Oct/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: Update all certs except trusted-*.pem chain. |
| Comment by Githook User [ 18/Oct/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: |