tempurl: Deprecate sha1 signatures

Code Issues Proposed changes

We've known this would eventually be necessary for a while [1], and
way back in 2017 we started seeing SHA-1 collisions [2].
[1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
[2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
UpgradeImpact:
==============
"sha1" has been removed from the default set of `allowed_digests` in the
tempurl middleware config. If your cluster still has clients requiring
the use of SHA-1,
- explicitly configure `allowed_digests` to include "sha1" and
- encourage your clients to move to more-secure algorithms.
Depends-On: https://review.opendev.org/c/openstack/tempest/+/832771
Change-Id: I6e6fa76671c860191a2ce921cb6caddc859b1066
Related-Change: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046
Closes-Bug: #1733634

This commit is contained in:

Tim Burke

2017年12月05日 21:52:51 +00:00

committed by Matthew Oliver

parent b621a6f932

commit 118cf2ba8a

9 changed files with 188 additions and 130 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

2
etc/proxy-server.conf-sample

View File

@@ -944,7 +944,7 @@ use = egg:swift#tempurl

#

# The digest algorithm(s) supported for generating signatures;

# whitespace-delimited.

# allowed_digests = sha1 sha256 sha512

# allowed_digests = sha256 sha512

# Note: Put formpost just before your auth filter(s) in the pipeline

[filter:formpost]

tempurl: Deprecate sha1 signatures

2 etc/proxy-server.conf-sample Unescape Escape View File

2
etc/proxy-server.conf-sample

View File