Libguestfs - Jul 2022 - [v2v PATCH] input-xen: cover RHEL9 OpenSSL crypto settings

In commit af4a0454cdd2 ("input-xen: replace "enable LEGACY
crypto" advice
with targeted ssh options", 2022-07-11), we documented how the libssh /
openssh crypto settings needed to be relaxed, for connecting to RHEL5
sshd.

It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in
signature algorithms even at the OpenSSL level. Explain how the user can
re-enable that separately, for individual virt-v2v invocations.

The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass
OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going
to be released in upstream libvirt v8.6.0.

Thanks: Dmitry Belyavskiy & Rich Jones
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
Signed-off-by: Laszlo Ersek <lersek at redhat.com>
---
 docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
index 789853b4d194..4a0544f8d16a 100644
--- a/docs/virt-v2v-input-xen.pod
+++ b/docs/virt-v2v-input-xen.pod
@@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and C<ssh>
when converting a guest
 from Xen, and on some operating systems, C<libssh> and C<ssh> may
not
 both accept the same option variant.)
 
+When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in
+signatures has to be re-enabled at the OpenSSL level, in addition to the
+above SSH configuration.  Create a file called F<$HOME/openssl-sha1.cnf>
+with the following contents:
+
+ .include /etc/ssl/openssl.cnf
+ [openssl_init]
+ alg_section = evp_properties
+ [evp_properties]
+ rh-allow-sha1-signatures = yes
+
+and export the following variable into the environment of the
+C<virt-v2v> process:
+
+ OPENSSL_CONF=$HOME/openssl-sha1.cnf
+
+Note that the C<OPENSSL_CONF> environment variable will only take effect
+if the libvirt client library used by virt-v2v is at least version
+8.6.0.
+
 =head2 Test libvirt connection to remote Xen host
 
 Use the L<virsh(1)> command to list the guests on the remote Xen host:
-- 
2.19.1.3.g30247aa5d201

On Fri, Jul 29, 2022 at 12:57:03PM +0200, Laszlo Ersek
wrote:
> In commit af4a0454cdd2 ("input-xen: replace "enable LEGACY
crypto" advice
> with targeted ssh options", 2022-07-11), we documented how the libssh
/
> openssh crypto settings needed to be relaxed, for connecting to RHEL5
> sshd.
> 
> It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in
> signature algorithms even at the OpenSSL level. Explain how the user can
> re-enable that separately, for individual virt-v2v invocations.
> 
> The method depends on Rich's libvirt commit 45912ac399ab ("rpc:
Pass
> OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is
going
> to be released in upstream libvirt v8.6.0.
> 
> Thanks: Dmitry Belyavskiy & Rich Jones
> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360
> Signed-off-by: Laszlo Ersek <lersek at redhat.com>
> ---
>  docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod
> index 789853b4d194..4a0544f8d16a 100644
> --- a/docs/virt-v2v-input-xen.pod
> +++ b/docs/virt-v2v-input-xen.pod
> @@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and
C<ssh> when converting a guest
>  from Xen, and on some operating systems, C<libssh> and C<ssh>
may not
>  both accept the same option variant.)
>  
> +When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use
in
> +signatures has to be re-enabled at the OpenSSL level, in addition to the
> +above SSH configuration.  Create a file called
F<$HOME/openssl-sha1.cnf>
> +with the following contents:
> +
> + .include /etc/ssl/openssl.cnf
> + [openssl_init]
> + alg_section = evp_properties
> + [evp_properties]
> + rh-allow-sha1-signatures = yes
> +
> +and export the following variable into the environment of the
> +C<virt-v2v> process:
> +
> + OPENSSL_CONF=$HOME/openssl-sha1.cnf
> +
> +Note that the C<OPENSSL_CONF> environment variable will only take
effect
> +if the libvirt client library used by virt-v2v is at least version
> +8.6.0.
> +
>  =head2 Test libvirt connection to remote Xen host
>  
>  Use the L<virsh(1)> command to list the guests on the remote Xen
host:
> -- 
> 2.19.1.3.g30247aa5d201
Reviewed-by: Richard W.M. Jones <rjones at redhat.com>

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org