[jira] [Commented] (KUDU-3663) Support certificates signed with RSASSA-PSS for channel binding

Tue, 24 Jun 2025 18:07:33 -0700 


    [ 
https://issues.apache.org/jira/browse/KUDU-3663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17985976#comment-17985976
 ] 

ASF subversion and git services commented on KUDU-3663:
-------------------------------------------------------

Commit da751805d8ac5f5668288c61441083d5ce25f133 in kudu's branch 
refs/heads/branch-1.18.x from Abhishek Chennaka
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=da751805d ]

[docs] Update Kudu 1.18.0 release notes

This adds entry about KUDU-3663 in the release notes.

Change-Id: I3b6a38ad8f52f6f9bb60fe3981147e32ab9e4051
Reviewed-on: http://gerrit.cloudera.org:8080/23089
Reviewed-by: Alexey Serbin <[email protected]>
Tested-by: Alexey Serbin <[email protected]>


> Support certificates signed with RSASSA-PSS for channel binding
> ---------------------------------------------------------------
>
>                 Key: KUDU-3663
>                 URL: https://issues.apache.org/jira/browse/KUDU-3663
>             Project: Kudu
>          Issue Type: Task
>          Components: security
>    Affects Versions: 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1
>            Reporter: Joe McDonnell
>            Assignee: Joe McDonnell
>            Priority: Critical
>             Fix For: 1.18.0
>
>
> Impala hit an issue (IMPALA-14038) where certificates signed using RSASSA-PSS 
> don't work with KRPC / SASL clusters. It produces an error like:
> {noformat}
> negotiation.cc:311] Negotiation complete: Not implemented: Server connection 
> negotiation failed: server connection from ****: server certificate has no 
> signature digest (hash) algorithm{noformat}
> That error comes from Cert::GetServerEndPointChannelBindings(), which is code 
> shared between Kudu and Impala, so this is the corresponding Kudu JIRA. The 
> issue is that RSASSA-PSS has a configurable hash algorithm, and OpenSSL's 
> OBJ_find_sigid_algs() doesn't handle finding the hash algorithm for 
> RSASSA-PSS.
> OpenSSL 1.1.1 introduced the x509_get_signature_info(), which supports 
> fetching the hash algorithm for RSASSA-PSS. Postgres switched their code to 
> use this when faced with a similar situation: 
> [https://www.postgresql.org/message-id/CAAWbhmgjYym7AsH1fqOx%2BbNqctPpSW1DzyLv_0VhBa_ng%2BNVyQ%40mail.gmail.com]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to