On Tue, Jun 9, 2020 at 10:23 AM Paul-Erik Törrönen <poltsi@poltsi.fi> wrote:
On 2020-06-08 08:58, Yedidyah Bar David wrote:
I agree it's not detailed enough. We have it briefly mentioned e.g. here: https://www.ovirt.org/documentation/installing_ovirt_as_a_self-hosted_engine... For some reason it's marked "Optional", not sure why.
I think it should also be pointed out that only certain keys are supported.
You can't eg. have a ed25519-only setup as the installation tries to use RSA.
Thanks for this comment. Added a note for you on Wart's bug 1845271. Do you think this is a significant limitation? In theory, it should not be too hard to make the engine's PKI code more flexible, allowing configuring it to use whatever algorithms both openssl/m2crypto and Java support, but in reality this was never requested. Only relevant change I recall was the request to change from hash algo SHA1 to SHA256, several years ago (which we did, then, unconditionally, still hardcoding sha256 in several places). Thanks and best regards, -- Didi