From 5f9386abad34651060cbdaa278fb10db3a6ac1b5 Mon Sep 17 00:00:00 2001 From: Christopher Swenson Date: Wed, 25 May 2022 10:11:17 -0700 Subject: [PATCH] Add deprecation note about X.509/SHA-1 (#15581) Add deprecation note about X.509/SHA-1 In preparation for moving to Go 1.18 in Vault 1.12. Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> --- changelog/15581.txt | 3 +++ website/content/docs/deprecation/faq.mdx | 14 ++++++++++++++ website/content/docs/deprecation/index.mdx | 1 + 3 files changed, 18 insertions(+) create mode 100644 changelog/15581.txt diff --git a/changelog/15581.txt b/changelog/15581.txt new file mode 100644 index 000000000..abc55a558 --- /dev/null +++ b/changelog/15581.txt @@ -0,0 +1,3 @@ +```release-note:deprecation +docs: Document removal of X.509 certificates with signatures who use SHA-1 in Vault 1.12 +``` diff --git a/website/content/docs/deprecation/faq.mdx b/website/content/docs/deprecation/faq.mdx index c88af0bef..8fa8229f6 100644 --- a/website/content/docs/deprecation/faq.mdx +++ b/website/content/docs/deprecation/faq.mdx @@ -35,3 +35,17 @@ These features were deprecated in prior releases of Vault. We are targeting the | Mount Filters | [Path Filters](https://www.vaultproject.io/api-docs/system/replication/replication-performance#create-paths-filter) | | AppID | [AppRole auth method](/docs/auth/approle) | | Standalone DB engines | [Combined DB engines](/docs/secrets/databases) | + +### Q: What is the impact of removing support for X.509 certificates with signatures that use SHA-1? + +Starting with Vault 1.12.0, Vault will be built with Go 1.18. +The Go 1.18 standard library [rejects X.509 certificates](https://tip.golang.org/doc/go1.18#sha1) whose signatures use a SHA-1 hash. + +If this issue impacts your usage of Vault, you can temporarily work around it by deploying Vault with the environment variable `GODEBUG=x509sha1=1` set. +This workaround will fail in a future version of Go, however, the Go team has not said when they will remove this workaround. + +Here are the use cases that may still use certificates with SHA-1: + +- AWS Credential Plugin: [AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) can use SHA-1-based PKCS7 signatures for DSA key pairs. + +We will update this list as we do further research. \ No newline at end of file diff --git a/website/content/docs/deprecation/index.mdx b/website/content/docs/deprecation/index.mdx index e3cffd61c..b116974cf 100644 --- a/website/content/docs/deprecation/index.mdx +++ b/website/content/docs/deprecation/index.mdx @@ -28,3 +28,4 @@ This announcement page is maintained and updated periodically to communicate imp | Feature Removal: AppID (OSS) | v0.6 | N/A | v1.11 | Use the alternative feature: [AppRole auth method](https://www.vaultproject.io/docs/auth/approle) | [AppID Auth Method Deprecation Notice](/docs/auth/app-id) | | End of Support: AAD Graph on Azure Secrets Engine | v1.10 | 1.11 | v1.12 | Microsoft will end its support of the [AAD Graph API on June 30, 2022](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview). Support for Microsoft Graph API was introduced in Vault 1.9. If your Vault deployment is on a prior release, you may use the Azure Secrets Engine as an external plugin while you plan to upgrade. | [AAD (Azure Active Directory](https://vault-git-post-1-10-doc-changes-hashicorp.vercel.app/docs/secrets/azure#aad-azure-active-directory) | | Feature Adjustment: Optional `api_token` parameter in Okta Auth Method | v1.4 | 1.11 | v1.12 | The `api_token` parameter on the Okta Auth Method will change from being optional to being required. | [API Documentation](https://www.vaultproject.io/api-docs/auth/okta#api_token) | +| End of Support: X.509 Certificates with SHA-1 Signatures | v1.11 | v1.11 | v1.12 | Use updated third-party provider releases that support more secure hashing algorithms for X.509 certificates.|[FAQ](/docs/deprecation/faq#q-what-is-the-impact-of-removing-support-for-x-509-certificates-with-signatures-that-use-sha-1)|