Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the description for the tls_ca_cert config option to use openssl rehash instead of c_rehash #16981

Merged
merged 1 commit into from
Apr 29, 2024
Merged

Update the description for the tls_ca_cert config option to use openssl rehash instead of c_rehash #16981

merged 1 commit into from
Apr 29, 2024

Conversation

FlorentClarret
Copy link
Member

@FlorentClarret FlorentClarret commented Feb 27, 2024
edited
Loading

What does this PR do?

Update the description for the tls_ca_cert config option to use openssl rehash instead of c_rehash

Motivation

c_rehash has a CVE and we should discourage people from using it: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-1292

We will most likely remove this script from the Agent

Additional Notes

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Changelog entries must be created for modifications to shipped code
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.

@FlorentClarret FlorentClarret marked this pull request as ready for review February 27, 2024 08:04
@FlorentClarret FlorentClarret requested review from a team as code owners February 27, 2024 08:04
clamoriniere
clamoriniere reviewed Feb 27, 2024
View reviewed changes
Copy link
Contributor

@clamoriniere clamoriniere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @FlorentClarret

The changes look good for @DataDog/container-integrations files.

Quick question to be sure that it was evaluated: Are we sure that this change is backward compatible with certificates already used with our integrations with success? Can we expect that some user configuration might fail after the agent update?

@FlorentClarret
Copy link
Member Author

Hi @FlorentClarret

The changes look good for @DataDog/container-integrations files.

Quick question to be sure that it was evaluated: Are we sure that this change is backward compatible with certificates already used with our integrations with success? Can we expect that some user configuration might fail after the agent update?

That's a good question indeed!

Both commands c_rehash and openssl rehash are functionally equivalent except that, by default, openssl rehash only generates SHA-1 files. Old-style hashes use MD5 and can be generated with either the -old option or using the -compat option which will generate both MD5 and SHA-1 files. MD5s are used with pre-1.0.0 versions of openssl which we do not use so I don't think customers will need to generate them since Agent 6 is (currently) shipped with 1.1.1u and Agent 7 with 3.0.12. Also here this is a doc change, we do not modify anything else so simply updating the Agent can't break them.

Let me know if I missed something, or if I should add more info in the docs!

@FlorentClarret FlorentClarret added this to the 7.53.0 milestone Feb 27, 2024
@FlorentClarret FlorentClarret removed this from the 7.53.0 milestone Mar 25, 2024
@FlorentClarret FlorentClarret merged commit 93ec237 into master Apr 29, 2024
47 of 53 checks passed
@FlorentClarret FlorentClarret deleted the florentclarret/c_rehash branch April 29, 2024 11:15
@FlorentClarret FlorentClarret mentioned this pull request Apr 29, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jose-manuel-almaza jose-manuel-almaza jose-manuel-almaza approved these changes

@urseberry urseberry urseberry approved these changes

@iliakur iliakur iliakur approved these changes

@clamoriniere clamoriniere clamoriniere approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@FlorentClarret @clamoriniere @iliakur @urseberry @jose-manuel-almaza