Re: [Libguestfs] [v2v PATCH] input-xen: cover RHEL9 OpenSSL crypto settings

On Fri, Jul 29, 2022 at 12:57:03PM +0200, Laszlo Ersek wrote: > In commit af4a0454cdd2 ("input-xen: replace "enable LEGACY crypto" advice > with targeted ssh options", 2022-07-11), we documented how the libssh / > openssh crypto settings needed to be relaxed, for connecting to RHEL5 > sshd. > > It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in > signature algorithms even at the OpenSSL level. Explain how the user can > re-enable that separately, for individual virt-v2v invocations. > > The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass > OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going > to be released in upstream libvirt v8.6.0. > > Thanks: Dmitry Belyavskiy & Rich Jones > Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360 > Signed-off-by: Laszlo Ersek <lersek(a)redhat.com&gt; > --- > docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > > diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod > index 789853b4d194..4a0544f8d16a 100644 > --- a/docs/virt-v2v-input-xen.pod > +++ b/docs/virt-v2v-input-xen.pod > @@ -54,6 +54,26 @@ new one. Virt-v2v uses both C<libssh> and C<ssh> when converting a guest > from Xen, and on some operating systems, C<libssh> and C<ssh> may not > both accept the same option variant.) > > +When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in > +signatures has to be re-enabled at the OpenSSL level, in addition to the > +above SSH configuration. Create a file called F<$HOME/openssl-sha1.cnf> > +with the following contents: > + > + .include /etc/ssl/openssl.cnf > + [openssl_init] > + alg_section = evp_properties > + [evp_properties] > + rh-allow-sha1-signatures = yes > + > +and export the following variable into the environment of the > +C<virt-v2v> process: > + > + OPENSSL_CONF=$HOME/openssl-sha1.cnf > + > +Note that the C<OPENSSL_CONF> environment variable will only take effect > +if the libvirt client library used by virt-v2v is at least version > +8.6.0. > + > =head2 Test libvirt connection to remote Xen host > > Use the L<virsh(1)> command to list the guests on the remote Xen host: > -- > 2.19.1.3.g30247aa5d201 Reviewed-by: Richard W.M. Jones <rjones(a)redhat.com&gt;