Issue #21029 has been updated by Charlie Sharpsteen. Status changed from Unreviewed to Needs More Information Assignee set to Jan Örnstedt
According to the OpenSSL documentation, <http://www.openssl.org/docs/ssl/SSL_library_init.html#NOTES>, support for SHA256 digests was enabled by default in versions 0.9.8o and 1.0.0a. The earliest OpenSSL version I could find SHA256 algorithm implementations was 0.9.7f --- but these are not enabled by default. On Solaris 10 the official SUN OpenSSL package is 0.9.7d which is too old for SHA256. The CSW OpenSSL package provides 0.9.8x which is new enough. Jan, which version of Ruby are you using to run Puppet on Solaris 10? Is there a reason you cant use the CSW Ruby which is built against a newer version of OpenSSL? ---------------------------------------- Bug #21029: SHA256 as digest is not compatible with older versions of openssl https://projects.puppetlabs.com/issues/21029#change-92212 * Author: Jan Örnstedt * Status: Needs More Information * Priority: Normal * Assignee: Jan Örnstedt * Category: * Target version: * Affected Puppet version: 3.2.1 * Keywords: sha256 openssl digest solaris * Branch: ---------------------------------------- If the puppet master uses SHA256 as digest on the CA cert then agents with older versions of openssl will not be able to verify the CA Cert. Making it impossible for OS such as Solaris 10 to connect to a master running on Solaris 11. So far have I not found any method of downreving digest algorithm to SHA1 except for reissue the certs with openssl directly. <pre> Master: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: OK # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption # openssl version OpenSSL 1.0.0j 10 May 2012 Agent: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: /CN=agent error 7 at 0 depth lookup:certificate signature failure # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: 1.2.840.113549.1.1.11 Signature Algorithm: 1.2.840.113549.1.1.11 # openssl version OpenSSL 0.9.7d 17 Mar 2004 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
