Skip to content

[release/6.0] OpenSslX509ChainProcessor: ignore NotSignatureValid on last element.#70343

Merged
carlossanlop merged 1 commit intodotnet:release/6.0from
tmds:sig_not_valid_60
Jun 9, 2022
Merged

[release/6.0] OpenSslX509ChainProcessor: ignore NotSignatureValid on last element.#70343
carlossanlop merged 1 commit intodotnet:release/6.0from
tmds:sig_not_valid_60

Conversation

@tmds
Copy link
Copy Markdown
Member

@tmds tmds commented Jun 7, 2022
edited by bartonjs
Loading

Backport of #69668 to release/6.0

Fixes: #65874 (comment)

Customer Impact

RHEL9's default crypto policy no longer accepts the use of RSA+SHA1 signatures.

Because .NET uses strict OpenSSL validation, it does not accept certain certificates, which are considered valid by other tools (like curl/wget). This causes websites like https://pkgs.dev.azure.com to no longer be accessible using HttpClient on RHEL9.

This change relaxes the validation so these certificates are trusted by .NET.

Testing

New tests are included as part of the change.

Risk

Low. The existing tests, combined with the new tests, give confidence to the scoped change. The version in main (and the backport) were authored by a Red Hat employee, so we feel that the new RHEL9 scenario has gotten about as good an eye as it could get.

@ghost ghost added the area-System.Security label Jun 7, 2022
@tmds
Copy link
Copy Markdown
Member Author

tmds commented Jun 7, 2022

@bartonjs feel free to improve my initial message.

@tmds
Copy link
Copy Markdown
Member Author

tmds commented Jun 7, 2022

cc @omajid

@ghost ghost added the community-contribution Indicates that the PR has been added by a community member label Jun 7, 2022
@ghost
Copy link
Copy Markdown

ghost commented Jun 7, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Backport of #69668 to release/6.0

Fixes: #65874 (comment)

Customer Impact

RHEL9 default crypto policy no longer accepts the use of RSA+SHA1 signatures.

Because .NET uses strict OpenSSL validation, it does not accept certain certificates, which are considered valid by other tools (like curl/wget). This causes websites like https://pkgs.dev.azure.com to no longer be accessible using HttpClient on RHEL9.

This change relaxes the validation so these certificates are trusted by .NET.

@bartonjs @vcsjones ptal.

Author: tmds
Assignees: -
Labels:

area-System.Security
Milestone: -

@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Jun 7, 2022
@bartonjs
Copy link
Copy Markdown
Member

bartonjs commented Jun 7, 2022

The failed legs are Helix warnings about queue deprecation, no tests failed.

@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Jun 7, 2022
@rbhanda rbhanda added this to the 6.0.7 milestone Jun 7, 2022
@carlossanlop
Copy link
Copy Markdown
Contributor

carlossanlop commented Jun 9, 2022

Servicing-approved label applied. Area owner signed off. CI passed with unrelated failures.
:shipit:

@carlossanlop carlossanlop merged commit 6f81e35 into dotnet:release/6.0 Jun 9, 2022
@hanneshayashi hanneshayashi mentioned this pull request Jun 22, 2022
Closed
14 tasks
@dtivel dtivel mentioned this pull request Jul 8, 2022
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Jul 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

No one assigned

Labels

area-System.Security community-contribution Indicates that the PR has been added by a community member Servicing-approved Approved for servicing release

Projects

None yet

Milestone

6.0.7

Development

Successfully merging this pull request may close these issues.

4 participants

@tmds @bartonjs @carlossanlop @rbhanda