From 9e1c78a4dda8e8f504fd8f01d7ff5a02e6d3b8ff Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Fri, 29 Jul 2022 12:57:03 +0200 Subject: [PATCH] input-xen: cover RHEL9 OpenSSL crypto settings In [master] commit af4a0454cdd2 ("input-xen: replace "enable LEGACY crypto" advice with targeted ssh options", 2022-07-11), we documented how the libssh / openssh crypto settings needed to be relaxed, for connecting to RHEL5 sshd. [rhel-9.1 commit: 3f7f730ac9cb.] It turns out that in RHEL9, the non-LEGACY crypto policies disable SHA1 in signature algorithms even at the OpenSSL level. Explain how the user can re-enable that separately, for individual virt-v2v invocations. The method depends on Rich's libvirt commit 45912ac399ab ("rpc: Pass OPENSSL_CONF through to ssh invocations", 2022-07-25), which is is going to be released in upstream libvirt v8.6.0. Thanks: Dmitry Belyavskiy & Rich Jones Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062360 Signed-off-by: Laszlo Ersek Message-Id: <20220729105703.10150-1-lersek@redhat.com> Reviewed-by: Richard W.M. Jones (cherry picked from commit ddab06d5eb99696f5fd1073b8ec91efbc8c3e4ab) --- docs/virt-v2v-input-xen.pod | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/virt-v2v-input-xen.pod b/docs/virt-v2v-input-xen.pod index 1775fc31..9c3981e1 100644 --- a/docs/virt-v2v-input-xen.pod +++ b/docs/virt-v2v-input-xen.pod @@ -54,6 +54,26 @@ new one. Virt-v2v uses both C and C when converting a guest from Xen, and on some operating systems, C and C may not both accept the same option variant.) +When connecting to RHEL 5 sshd from RHEL 9, the SHA1 algorithm's use in +signatures has to be re-enabled at the OpenSSL level, in addition to the +above SSH configuration. Create a file called F<$HOME/openssl-sha1.cnf> +with the following contents: + + .include /etc/ssl/openssl.cnf + [openssl_init] + alg_section = evp_properties + [evp_properties] + rh-allow-sha1-signatures = yes + +and export the following variable into the environment of the +C process: + + OPENSSL_CONF=$HOME/openssl-sha1.cnf + +Note that the C environment variable will only take effect +if the libvirt client library used by virt-v2v is at least version +8.6.0. + =head2 Test libvirt connection to remote Xen host Use the L command to list the guests on the remote Xen host: