|
 |
c1a9fa |
From 9e1c78a4dda8e8f504fd8f01d7ff5a02e6d3b8ff Mon Sep 17 00:00:00 2001
|
|
|
c1a9fa |
From: Laszlo Ersek <lersek@redhat.com>
|
|
|
c1a9fa |
Date: Fri, 29 Jul 2022 12:57:03 +0200
|
|
|
c1a9fa |
Subject: [PATCH] input-xen: cover RHEL9 OpenSSL crypto settings
|
|
|
c1a9fa |
|
|
|
c1a9fa |
In [master] commit af4a0454cdd2 ("input-xen: replace "enable LEGACY
|
|
|
c1a9fa |
crypto" advice with targeted ssh options", 2022-07-11), we documented how
|
|
|
c1a9fa |
the libssh / openssh crypto settings needed to be relaxed, for connecting
|
|
|
c1a9fa |
to RHEL5 sshd. [rhel-9.1 commit: 3f7f730ac9cb.]
|
|
|
c1a9fa |
|
|
|
c1a9fa |
It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in
|
|
|
c1a9fa |
signature algorithms even at the OpenSSL level. Explain how the user can
|
|
|
c1a9fa |
re-enable that separately, for individual virt-v2v invocations.
|
|
|
c1a9fa |
|
|
|
c1a9fa |
The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass
|
|
|
c1a9fa |
OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going
|
|
|
c1a9fa |
to be released in upstream libvirt v8.6.0.
|
|
|
c1a9fa |
|
|
|
c1a9fa |
Thanks: Dmitry Belyavskiy & Rich Jones
|
|
|
c1a9fa |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
|
|
|
c1a9fa |
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
|
c1a9fa |
Message-Id: <20220729105703.10150-1-lersek@redhat.com>
|
|
|
c1a9fa |
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
|
|
|
c1a9fa |
(cherry picked from commit ddab06d5eb99696f5fd1073b8ec91efbc8c3e4ab)
|
|
|
c1a9fa |
---
|
|
|
c1a9fa |
docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++
|
|
|
c1a9fa |
1 file changed, 20 insertions(+)
|
|
|
c1a9fa |
|
|
|
c1a9fa |
diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
|
|
|
c1a9fa |
index 1775fc31..9c3981e1 100644
|
|
|
c1a9fa |
--- a/docs/virt-v2v-input-xen.pod
|
|
|
c1a9fa |
+++ b/docs/virt-v2v-input-xen.pod
|
|
|
c1a9fa |
@@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and C<ssh> when converting a guest
|
|
|
c1a9fa |
from Xen, and on some operating systems, C<libssh> and C<ssh> may not
|
|
|
c1a9fa |
both accept the same option variant.)
|
|
|
c1a9fa |
|
|
|
c1a9fa |
+When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in
|
|
|
c1a9fa |
+signatures has to be re-enabled at the OpenSSL level, in addition to the
|
|
|
c1a9fa |
+above SSH configuration. Create a file called F<$HOME/openssl-sha1.cnf>
|
|
|
c1a9fa |
+with the following contents:
|
|
|
c1a9fa |
+
|
|
|
c1a9fa |
+ .include /etc/ssl/openssl.cnf
|
|
|
c1a9fa |
+ [openssl_init]
|
|
|
c1a9fa |
+ alg_section = evp_properties
|
|
|
c1a9fa |
+ [evp_properties]
|
|
|
c1a9fa |
+ rh-allow-sha1-signatures = yes
|
|
|
c1a9fa |
+
|
|
|
c1a9fa |
+and export the following variable into the environment of the
|
|
|
c1a9fa |
+C<virt-v2v> process:
|
|
|
c1a9fa |
+
|
|
|
c1a9fa |
+ OPENSSL_CONF=$HOME/openssl-sha1.cnf
|
|
|
c1a9fa |
+
|
|
|
c1a9fa |
+Note that the C<OPENSSL_CONF> environment variable will only take effect
|
|
|
c1a9fa |
+if the libvirt client library used by virt-v2v is at least version
|
|
|
c1a9fa |
+8.6.0.
|
|
|
c1a9fa |
+
|
|
|
c1a9fa |
=head2 Test libvirt connection to remote Xen host
|
|
|
c1a9fa |
|
|
|
c1a9fa |
Use the L<virsh(1)> command to list the guests on the remote Xen host:
|