[Libguestfs] [v2v PATCH] input-xen: cover RHEL9 OpenSSL crypto settings

Laszlo Ersek lersek at redhat.com
Fri Jul 29 13:12:47 UTC 2022 

On 07/29/22 13:13, Richard W.M. Jones wrote:
> On Fri, Jul 29, 2022 at 12:57:03PM +0200, Laszlo Ersek wrote:
>> In commit af4a0454cdd2 ("input-xen: replace "enable LEGACY crypto" advice
>> with targeted ssh options", 2022-07-11), we documented how the libssh /
>> openssh crypto settings needed to be relaxed, for connecting to RHEL5
>> sshd.
>>
>> It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in
>> signature algorithms even at the OpenSSL level. Explain how the user can
>> re-enable that separately, for individual virt-v2v invocations.
>>
>> The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass
>> OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going
>> to be released in upstream libvirt v8.6.0.
>>
>> Thanks: Dmitry Belyavskiy & Rich Jones
>> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
>> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
>> ---
>>  docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++
>>  1 file changed, 20 insertions(+)
>>
>> diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
>> index 789853b4d194..4a0544f8d16a 100644
>> --- a/docs/virt-v2v-input-xen.pod
>> +++ b/docs/virt-v2v-input-xen.pod
>> @@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and C<ssh> when converting a guest
>>  from Xen, and on some operating systems, C<libssh> and C<ssh> may not
>>  both accept the same option variant.)
>>  
>> +When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in
>> +signatures has to be re-enabled at the OpenSSL level, in addition to the
>> +above SSH configuration.  Create a file called F<$HOME/openssl-sha1.cnf>
>> +with the following contents:
>> +
>> + .include /etc/ssl/openssl.cnf
>> + [openssl_init]
>> + alg_section = evp_properties
>> + [evp_properties]
>> + rh-allow-sha1-signatures = yes
>> +
>> +and export the following variable into the environment of the
>> +C<virt-v2v> process:
>> +
>> + OPENSSL_CONF=$HOME/openssl-sha1.cnf
>> +
>> +Note that the C<OPENSSL_CONF> environment variable will only take effect
>> +if the libvirt client library used by virt-v2v is at least version
>> +8.6.0.
>> +
>>  =head2 Test libvirt connection to remote Xen host
>>  
>>  Use the L<virsh(1)> command to list the guests on the remote Xen host:
>> -- 
>> 2.19.1.3.g30247aa5d201
> 
> Reviewed-by: Richard W.M. Jones <rjones at redhat.com>

Commit ddab06d5eb99 on the master branch.

Cherry-picked to the rhel-9.1 branch as commit 9e1c78a4dda8, with commit
hash references updated / annotated in the commit message.

Thanks!
Laszlo

More information about the Libguestfs mailing list