[
https://issues.apache.org/jira/browse/KUDU-3663?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alexey Serbin updated KUDU-3663:
--------------------------------
Affects Version/s: 1.16.0
1.15.0
1.14.0
1.13.0
1.12.0
> Support certificates signed with RSASSA-PSS for channel binding
> ---------------------------------------------------------------
>
> Key: KUDU-3663
> URL: https://issues.apache.org/jira/browse/KUDU-3663
> Project: Kudu
> Issue Type: Task
> Components: security
> Affects Versions: 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1
> Reporter: Joe McDonnell
> Assignee: Joe McDonnell
> Priority: Critical
>
> Impala hit an issue (IMPALA-14038) where certificates signed using RSASSA-PSS
> don't work with KRPC / SASL clusters. It produces an error like:
> {noformat}
> negotiation.cc:311] Negotiation complete: Not implemented: Server connection
> negotiation failed: server connection from ****: server certificate has no
> signature digest (hash) algorithm{noformat}
> That error comes from Cert::GetServerEndPointChannelBindings(), which is code
> shared between Kudu and Impala, so this is the corresponding Kudu JIRA. The
> issue is that RSASSA-PSS has a configurable hash algorithm, and OpenSSL's
> OBJ_find_sigid_algs() doesn't handle finding the hash algorithm for
> RSASSA-PSS.
> OpenSSL 1.1.1 introduced the x509_get_signature_info(), which supports
> fetching the hash algorithm for RSASSA-PSS. Postgres switched their code to
> use this when faced with a similar situation:
> [https://www.postgresql.org/message-id/CAAWbhmgjYym7AsH1fqOx%2BbNqctPpSW1DzyLv_0VhBa_ng%2BNVyQ%40mail.gmail.com]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
