Issue #21029 has been updated by Charlie Sharpsteen. Tracker changed from Bug to Feature Subject changed from SHA256 as digest is not compatible with older versions of openssl to Allow control over the digest used to create CA certificates Status changed from Needs More Information to Accepted Assignee deleted (Charlie Sharpsteen) Priority changed from Normal to Low
Jan, thanks for the additional details---I'm reclassifying this as a feature request because there hasn't been any documented configuration setting for the CA cert digest. I can certainly understand the desire to keep as much infrastructure as possible under the coverage of your support agreement with oracle. I also understand that 2.7.x Puppet Masters used SHA1 for the CA cert digest and 3.x masters have switched to SHA2. However, the real root of the issue is that OpenSSL 0.9.7d is 9 years old and the SUNWopenssl package may be the singular case among our supported platforms where the SSL library is this old. We include a build of 0.9.8x in our Solaris 10 Puppet Enterprise packages for this very reason and will be updating the installation guide to reflect these expectations. We would gladly review a pull request that implements exposing the CA cert digest as a configuration option but are unlikely to investigate this feature ourselves as long as the driving need is support for outdated SSL libraries. ---------------------------------------- Feature #21029: Allow control over the digest used to create CA certificates https://projects.puppetlabs.com/issues/21029#change-92626 * Author: Jan Örnstedt * Status: Accepted * Priority: Low * Assignee: * Category: * Target version: * Affected Puppet version: 3.2.1 * Keywords: sha256 openssl digest solaris * Branch: ---------------------------------------- If the puppet master uses SHA256 as digest on the CA cert then agents with older versions of openssl will not be able to verify the CA Cert. Making it impossible for OS such as Solaris 10 to connect to a master running on Solaris 11. So far have I not found any method of downreving digest algorithm to SHA1 except for reissue the certs with openssl directly. <pre> Master: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: OK # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: sha256WithRSAEncryption Signature Algorithm: sha256WithRSAEncryption # openssl version OpenSSL 1.0.0j 10 May 2012 Agent: # digest -a md5 ca.pem agent.pem (ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c (agent.pem) = 559cb7ddf565340ddf802670cc68cf53 # openssl verify -CAfile ca.pem agent.pem agent.pem: /CN=agent error 7 at 0 depth lookup:certificate signature failure # openssl x509 -text -noout -in ca.pem | grep Signature Signature Algorithm: 1.2.840.113549.1.1.11 Signature Algorithm: 1.2.840.113549.1.1.11 # openssl version OpenSSL 0.9.7d 17 Mar 2004 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
