Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Test suite fails on platforms where SHA-1 signatures are unsupported

See original GitHub issue

CentOS 9 Stream and Red Hat Enterprise Linux 9 have SHA-1 signatures disabled by default.

Building asyncssh on these platforms results in many test suite failures due to lack of SHA-1 signature support, like this one:

======================================================================
ERROR: setUpClass (tests.test_forward._TestTCPForwarding)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builddir/build/BUILD/asyncssh-2.9.0/tests/util.py", line 368, in setUpClass
    cls.loop.run_until_complete(cls.asyncSetUpClass())
  File "/usr/lib64/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/builddir/build/BUILD/asyncssh-2.9.0/tests/server.py", line 121, in asyncSetUpClass
    ckey_cert = ckey.generate_user_certificate(ckey, 'name',
  File "/builddir/build/BUILD/asyncssh-2.9.0/asyncssh/public_key.py", line 746, in generate_user_certificate
    return self._generate_certificate(user_key, version, serial,
  File "/builddir/build/BUILD/asyncssh-2.9.0/asyncssh/public_key.py", line 347, in _generate_certificate
    return cert_handler.generate(self, algorithm, key, serial, cert_type,
  File "/builddir/build/BUILD/asyncssh-2.9.0/asyncssh/public_key.py", line 1593, in generate
    data += String(signing_key.sign(data, signing_key.algorithm))
  File "/builddir/build/BUILD/asyncssh-2.9.0/asyncssh/public_key.py", line 557, in sign
    self.sign_ssh(data, sig_algorithm)))
  File "/builddir/build/BUILD/asyncssh-2.9.0/asyncssh/rsa.py", line 242, in sign_ssh
    return String(self._key.sign(data, _hash_algs[sig_algorithm]))
  File "/builddir/build/BUILD/asyncssh-2.9.0/asyncssh/crypto/rsa.py", line 134, in sign
    return priv_key.sign(data, PKCS1v15(), hashes[hash_name]())
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 501, in sign
    return _rsa_sig_sign(self._backend, padding, algorithm, self, data)
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 244, in _rsa_sig_sign
    pkey_ctx = _rsa_sig_setup(
  File "/usr/lib64/python3.9/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 213, in _rsa_sig_setup
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: sha1 is not supported by this backend for RSA signing.

Paramiko added a marker to tests that support sha1 so they’re easy to skip (https://github.com/paramiko/paramiko/pull/2011). Maybe asyncssh could do the same.

Issue Analytics

State:
Created a year ago
Comments:12 (10 by maintainers)

Top GitHub Comments

2reactions

ronfcommented, Aug 11, 2022

These changes are now available in AsyncSSH 2.12.0.

1reaction

ronfcommented, Jul 17, 2022

I was able to confirm that all of the test failures in test_connection_auth.py were in fact related to attempting to use the SSH agent to do signing with a SHA-1 hash.

I’ve checked a set of updates into the “develop” branch that seems to fix all the failures in my CentOS 9 container. Along the way, I made a couple of improvements in AsyncSSH itself. Specifically, the changes include:

A new sig_alg argument is now available to request which signature algorithm to use when creating OpenSSH certificates
The SSH agent client has been updated to properly request SHA-2 signing for x509v3-rsa2048-sha256 keys paired with an X.509 certificate.
Agent and connection auth unit tests were updated to avoid keys which request SHA-1 signing in the SSH agent
DSA unit tests no longer attempt to test interoperability with OpenSSH, to avoid issues with its use of SHA-1 signatures
An internal make_certificate function was updated to default to using SHA-2 signing for RSA-based OpenSSH certificates

@ktdreyer @gsauthof All of these changes are now in the “develop” branch if you’d like to re-run your tests. Thanks again to both of you for helping me to reproduce the issues here!

Top Results From Across the Web

Test suite will need to be able to handle SHA-1 signatures not ...

This change detects if sha1 signatures are not supported by the backend and skips tests that rely on that functionality. This is a...

Understanding SHA-1 deprecation on RHEL 9 - Red Hat

While Red Hat Enterprise Linux 9 (RHEL 9) deprecated SHA-1 for signing for security reasons, it is still used by many for signing...

SHA1 Deprecation: What You Need to Know - Qualys Blog

Don't worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won't warn about them).

Appendix 4 Driver Signing Issues - Windows - Microsoft Learn

OSes may have unknown signing issues or driver not signed issues if the computer under test is not connected to the internet.

SSH-RSA key rejected with message "no mutual signature ...

Any given system running OpenSSH 8.8 or newer as this release disables RSA signatures using the SHA-1 hash algorithm by default. Diagnosis. When ......