The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Feature #21029

Allow control over the digest used to create CA certificates

Added by Jan Örnstedt almost 3 years ago. Updated over 2 years ago.

Status:AcceptedStart date:
Priority:LowDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Affected Puppet version:3.2.1 Branch:
Keywords:sha256 openssl digest solaris

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket is now tracked at: https://tickets.puppetlabs.com/browse/PUP-1146


Description

If the puppet master uses SHA256 as digest on the CA cert then agents with older versions of openssl will not be able to verify the CA Cert. Making it impossible for OS such as Solaris 10 to connect to a master running on Solaris 11.

So far have I not found any method of downreving digest algorithm to SHA1 except for reissue the certs with openssl directly.

Master:
# digest -a md5 ca.pem agent.pem
(ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c
(agent.pem) = 559cb7ddf565340ddf802670cc68cf53

# openssl verify  -CAfile ca.pem agent.pem
agent.pem: OK

# openssl x509 -text -noout -in ca.pem  | grep Signature
        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

# openssl version
OpenSSL 1.0.0j 10 May 2012

Agent:
# digest -a md5 ca.pem agent.pem
(ca.pem) = 4a5e69cec9a9f8c39fd6b160b5cbea8c
(agent.pem) = 559cb7ddf565340ddf802670cc68cf53

# openssl verify  -CAfile ca.pem agent.pem 
agent.pem: /CN=agent
error 7 at 0 depth lookup:certificate signature failure

# openssl x509 -text -noout -in ca.pem  | grep Signature
        Signature Algorithm: 1.2.840.113549.1.1.11
    Signature Algorithm: 1.2.840.113549.1.1.11

# openssl version
OpenSSL 0.9.7d 17 Mar 2004

Related issues

Related to Puppet - Bug #17295: Puppet not honouring --digest Closed
Related to Puppet - Feature #8120: Let user change hashing algorithm, to avoid crashing on F... Code Insufficient 06/28/2011
Related to Puppet - Feature #21257: Add a configuration option for the digest algorithm used ... Needs Decision

History

#1 Updated by Charlie Sharpsteen almost 3 years ago

  • Status changed from Unreviewed to Needs More Information
  • Assignee set to Jan Örnstedt

According to the OpenSSL documentation, http://www.openssl.org/docs/ssl/SSL_library_init.html#NOTES, support for SHA256 digests was enabled by default in versions 0.9.8o and 1.0.0a. The earliest OpenSSL version I could find SHA256 algorithm implementations was 0.9.7f —– but these are not enabled by default.

On Solaris 10 the official SUN OpenSSL package is 0.9.7d which is too old for SHA256. The CSW OpenSSL package provides 0.9.8x which is new enough.

Jan, which version of Ruby are you using to run Puppet on Solaris 10? Is there a reason you cant use the CSW Ruby which is built against a newer version of OpenSSL?

#2 Updated by Jan Örnstedt almost 3 years ago

  • Assignee changed from Jan Örnstedt to Charlie Sharpsteen

Charlie,

I compile my own version of Ruby and package it. We do not prefer to replace all system libraries for new as we have a support agreement with Oracle. We do not bring in third party packages.

# ruby --version
ruby 1.8.7 (2011-06-30 patchlevel 352) [i386-solaris2.10]

Be aware that this also affects the ticket #17295. My suggestion would be that there is someway to configure the CA to use only SHA1 in case you have older agents. I do NOT suggest that we should default to SHA256.

A FAQ entry regarding the issue and a config option to select SHA1 incase your environment is affected by this. I possibly should be mentioned in the install instruction so you don’t have to reissue all certs when you are far into the implementation.

#3 Updated by Charlie Sharpsteen almost 3 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from SHA256 as digest is not compatible with older versions of openssl to Allow control over the digest used to create CA certificates
  • Status changed from Needs More Information to Accepted
  • Assignee deleted (Charlie Sharpsteen)
  • Priority changed from Normal to Low

Jan, thanks for the additional details—-I’m reclassifying this as a feature request because there hasn’t been any documented configuration setting for the CA cert digest.

I can certainly understand the desire to keep as much infrastructure as possible under the coverage of your support agreement with oracle. I also understand that 2.7.x Puppet Masters used SHA1 for the CA cert digest and 3.x masters have switched to SHA2. However, the real root of the issue is that OpenSSL 0.9.7d is 9 years old and the SUNWopenssl package may be the singular case among our supported platforms where the SSL library is this old. We include a build of 0.9.8x in our Solaris 10 Puppet Enterprise packages for this very reason and will be updating the installation guide to reflect these expectations.

We would gladly review a pull request that implements exposing the CA cert digest as a configuration option but are unlikely to investigate this feature ourselves as long as the driving need is support for outdated SSL libraries.

#4 Updated by Charlie Sharpsteen almost 3 years ago

I should also mention that Puppet 3.2.1 introduced support for plugging into external CA systems. This feature could be used to sidestep the problem at hand. A guide to supported CA configurations and how to set them up can be found here:

http://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html

#5 Updated by Mark Barry over 2 years ago

I have come across a similar problem where the puppet master is Linux (Linux pmaster 2.6.18-348.18.1.el5 #1 SMP Fri Sep 6 12:37:18 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux) and some agents are running on Solaris 10 (SunOS pagent 5.10 Generic_148888-01 sun4v sparc sun4v).

The work around that I used was to initially create the puppet master on a solaris host, then copy the ssl directory across to the linux host. Solaris: puppet master —certname pmaster.domain.name —confdir /var/tmp/pm —no-daemonize —debug —vardir /var/tmp cd /var/tmp /usr/sfw/bin/gtar zcf ssl.tgz ssl Linux: cd [confdir] gtar zxf /var/tmp/ssl.tgz puppet master —confdir [confdir] —no-daemonize —debug

Restarting the “puppet agent” initialisation process then produces usable certificates on the solaris hosts

Further host information Solaris openssl: /usr/sfw/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004 Linux openssl: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

#6 Updated by Jan Örnstedt over 2 years ago

Redmine Issue #21029 has been migrated to JIRA:

https://tickets.puppetlabs.com/browse/PUP-1146

Also available in: Atom PDF