Issue #21029 has been updated by Jan Örnstedt. Assignee changed from Jan Örnstedt to Charlie Sharpsteen
Charlie, I compile my own version of Ruby and package it. We do not prefer to replace all system libraries for new as we have a support agreement with Oracle. We do not bring in third party packages. <pre># ruby --version ruby 1.8.7 (2011-06-30 patchlevel 352) [i386-solaris2.10] </pre> Be aware that this also affects the ticket #17295. My suggestion would be that there is someway to configure the CA to use only SHA1 in case you have older agents. I do NOT suggest that we should default to SHA256. A FAQ entry regarding the issue and a config option to select SHA1 incase your environment is affected by this. I possibly should be mentioned in the install instruction so you don't have to reissue all certs when you are far into the implementation. ---------------------------------------- Bug #21029: SHA256 as digest is not compatible with older versions of openssl https://projects.puppetlabs.com/issues/21029#change-92607 * Author: Jan Örnstedt * Status: Needs More Information * Priority: Normal * Assignee: Charlie Sharpsteen * Category: * Target version: * Affected Puppet version: 3.2.1 * Keywords: sha256 openssl digest solaris * Branch: ---------------------------------------- If the puppet master uses SHA256 as digest on the CA cert then agents with older versions of openssl will not be able to verify the CA Cert. Making it impossible for OS such as Solaris 10 to connect to a master running on Solaris 11. So far have I not found any method of downreving digest algorithm to SHA1 except for reissue the certs with openssl directly. <pre> Master: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: OK # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption # openssl version OpenSSL 1.0.0j 10 May 2012 Agent: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: /CN=agent error 7 at 0 depth lookup:certificate signature failure # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: 1.2.840.113549.1.1.11 Signature Algorithm: 1.2.840.113549.1.1.11 # openssl version OpenSSL 0.9.7d 17 Mar 2004 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
