ClickHouse fails to verify x509 certificates with ed25519 signatures #51005
Description
Describe the unexpected behaviour
When clickhouse needs to communicate with another host over TLS, if the other host is using an certificate with an ed25519 signature, clickhouse fails the TLS handshake with the following error:
Error message: Poco::Exception. Code: 1000, e.code() = 0, SSL Exception: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (version 23.4.3.48 (official build))
So far I've hit this issue with TLS inter-node communication and with TLS enabled Minio using S3 backed merge trees against Minio.
How to reproduce
I do not have a minimal working example, but the rough idea is:
- version latest LTS and 23.4.3.48, both have the issue in my testing at least
- generate self-signed CA.
- generate server certificate using ed25519 key and your CA
- Configure Minio, or another clickhouse server with the new server certificate.
- Configure ClickHouse to use Minio with some S3 based feature or configure a clickhouse cluster with secure internode communication .
Expected behavior
ClickHouse is able to verify the TLS certificate.
Error message and/or stacktrace
Example stack trace from my ClickHouse server running K8s, connecting to Minio over TLS:
2023.06.09 21:00:44.354053 [ 312 ] {} <Error> AWSClient: Failed to make request to: https://minio.minio.svc.cluster.local/hubble-timescape-clickhouse/data/clickhouse_remove_objects_capability_5b77dda1-ebe5-4745-a3b3-e69fd26ba55e: Poco::Exception. Code: 1000, e.code() = 0, SSL Exception
: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE, Stack trace (when copying this message, always include the lines below):
WARNING: Certificate verification failed
0. Poco::Net::SecureSocketImpl::handleError(int) @ 0x11e89e6c in /usr/bin/clickhouse
1. Poco::Net::SecureSocketImpl::connectSSL(bool) @ 0x11e88e78 in /usr/bin/clickhouse
2. Poco::Net::SecureSocketImpl::connect(Poco::Net::SocketAddress const&, Poco::Timespan const&, bool) @ 0x11e89310 in /usr/bin/clickhouse
3. Poco::Net::SecureStreamSocketImpl::connect(Poco::Net::SocketAddress const&, Poco::Timespan const&) @ 0x11e8e8e4 in /usr/bin/clickhouse
4. Poco::Net::HTTPSClientSession::connect(Poco::Net::SocketAddress const&) @ 0x11e7966c in /usr/bin/clickhouse
5. Poco::Net::HTTPClientSession::reconnect() @ 0x11e9865c in /usr/bin/clickhouse
6. Poco::Net::HTTPClientSession::sendRequest(Poco::Net::HTTPRequest&) @ 0x11e97a64 in /usr/bin/clickhouse
7. DB::S3::PocoHTTPClient::makeRequestInternal(Aws::Http::HttpRequest&, std::shared_ptr<DB::S3::PocoHTTPResponse>&, Aws::Utils::RateLimits::RateLimiterInterface*, Aws::Utils::RateLimits::RateLimiterInterface*) const @ 0xf5feb98 in /usr/bin/clickhouse
8. DB::S3::PocoHTTPClient::MakeRequest(std::shared_ptr<Aws::Http::HttpRequest> const&, Aws::Utils::RateLimits::RateLimiterInterface*, Aws::Utils::RateLimits::RateLimiterInterface*) const @ 0xf5fd078 in /usr/bin/clickhouse
9. Aws::Client::AWSClient::AttemptOneRequest(std::shared_ptr<Aws::Http::HttpRequest> const&, Aws::AmazonWebServiceRequest const&, char const*, char const*, char const*) const @ 0x120db7ac in /usr/bin/clickhouse
10. Aws::Client::AWSClient::AttemptExhaustively(Aws::Http::URI const&, Aws::AmazonWebServiceRequest const&, Aws::Http::HttpMethod, char const*, char const*, char const*) const @ 0x120d8f0c in /usr/bin/clickhouse
11. Aws::Client::AWSXMLClient::MakeRequest(Aws::Http::URI const&, Aws::AmazonWebServiceRequest const&, Aws::Http::HttpMethod, char const*, char const*, char const*) const @ 0x120f9050 in /usr/bin/clickhouse
12. Aws::S3::S3Client::PutObject(Aws::S3::Model::PutObjectRequest const&) const @ 0x1221148c in /usr/bin/clickhouse
Additional context
Other algorithms work, ECDSA, RSA, etc, it's only ed25519 that I've had problems with so far.