diff --git a/changelog/15581.txt b/changelog/15581.txt new file mode 100644 index 000000000..abc55a558 --- /dev/null +++ b/changelog/15581.txt @@ -0,0 +1,3 @@ +```release-note:deprecation +docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12 +``` diff --git a/website/content/docs/deprecation/faq.mdx b/website/content/docs/deprecation/faq.mdx index c88af0bef..8fa8229f6 100644 --- a/website/content/docs/deprecation/faq.mdx +++ b/website/content/docs/deprecation/faq.mdx @@ -35,3 +35,17 @@ These features were deprecated in prior releases of Vault. We are targeting the | Mount Filters | [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) | | AppID | [AppRole auth method](/docs/auth/approle) | | Standalone DB engines | [Combined DB engines](/docs/secrets/databases) | + +### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1? + +Starting with Vault 1.12.0, Vault will be built with Go 1.18. +The Go 1.18 standard library [rejects X.509 certificates](https://tip.golang.org/doc/go1.18#sha1) whose signatures use a SHA-1 hash. + +If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set. +This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround. + +Here are the use cases that may still use certificates with SHA-1: + +- AWS Credential Plugin: [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs. + +We will update this list as we do further research. \ No newline at end of file diff --git a/website/content/docs/deprecation/index.mdx b/website/content/docs/deprecation/index.mdx index e3cffd61c..b116974cf 100644 --- a/website/content/docs/deprecation/index.mdx +++ b/website/content/docs/deprecation/index.mdx @@ -28,3 +28,4 @@ This announcement page is maintained and updated periodically to communicate imp | Feature Removal: AppID (OSS) | v0.6 | N/A | v1.11 | Use the alternative feature: [AppRole auth method](https://www.vaultproject.io/docs/auth/approle) | [AppID Auth Method Deprecation Notice](/docs/auth/app-id) | | End of Support: AAD Graph on Azure Secrets Engine | v1.10 | 1.11 | v1.12 | Microsoft will end its support of the [AAD Graph API on June 30, 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview). Support for Microsoft Graph API was introduced in Vault 1.9. If your Vault deployment is on a prior release, you may use the Azure Secrets Engine as an external plugin while you plan to upgrade. | [AAD (Azure Active Directory](https://vault-git-post-1-10-doc-changes-hashicorp.vercel.app/docs/secrets/azure#aad-azure-active-directory) | | Feature Adjustment: Optional `api_token` parameter in Okta Auth Method | v1.4 | 1.11 | v1.12 | The `api_token` parameter on the Okta Auth Method will change from being optional to being required. | [API Documentation](https://www.vaultproject.io/api-docs/auth/okta#api_token) | +| End of Support: X.509 Certificates with SHA-1 Signatures | v1.11 | v1.11 | v1.12 | Use updated third-party provider releases that support more secure hashing algorithms for X.509 certificates.|[FAQ](/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)|