New Salt minions on Ubuntu fail to authenticate with Salt Master with "UnsupportedAlgorithm: OAEP-SHA1"
Article ID: 435003
Updated On:
Products
Issue/Introduction
* New Salt minions on Ubuntu are failing to authenticate with the Salt Master. The process terminates with a salt.exceptions.UnsupportedAlgorithm: Unsupported algorithm: OAEP-SHA1 error during the verify_master and decrypt_aes phases of the handshake.
* Log evidence from salt-minion indicates the failure occurs in salt/crypt.py at line 270. The minion attempts to use the default OAEP-SHA1 encryption algorithm, which is rejected by the underlying Python cryptography library.
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: auth["aes"] = self.verify_master(
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/crypt.py", line 1358, in verify_master
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: return self.extract_aes(payload, master_pub=False)
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/crypt.py", line 1280, in extract_aes
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: aes, token = self.decrypt_aes(payload, master_pub)
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/crypt.py", line 1118, in decrypt_aes
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: key_str = key.decrypt(payload["aes"], self.opts["encryption_algorithm"])
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/crypt.py", line 270, in decrypt
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: raise UnsupportedAlgorithm(f"Unsupported algorithm: {algorithm}")
Mar 18 20:34:23 [MINION_ID] salt-minion[1968238]: salt.exceptions.UnsupportedAlgorithm: Unsupported algorithm: OAEP-SHA1
Environment
Salt minion 3006.9
Salt master 3006.16
Cause
The issue is caused by the deprecation and subsequent removal of SHA-1 support for specific cryptographic operations in modern Linux distributions. The system-wide security policy or the updated cryptography library prevents the use of SHA-1 as a digest for OAEP padding, which Salt uses by default for master-minion communication.
The cryptography library (a Salt dependency) enforces security standards. In newer versions, calling padding.OAEP with hashes.SHA1() triggers an UnsupportedAlgorithm exception if the OS-level OpenSSL provider has disabled SHA-1 for security hardening.
Resolution
Salt version 3006.9 introduced the encryption_algorithm and signing_algorithm configuration options specifically to address the deprecation of SHA-1 in modern operating systems. By explicitly setting these to OAEP-SHA224 (or higher in later versions), Salt bypasses the restricted SHA-1 calls in the cryptography library, allowing successful RSA decryption of the AES key provided by the master.
Upgrade the Salt infrastructure: Ensure both Master and Minions are running at least version 3006.9. These options can be configured prior to upgrading so that they immediately take effect after upgrading and restarting the Salt minion.
Reconfigure Master/Minion: Add the following parameters to the minion configuration (and master configuration to ensure compatibility):
encryption_algorithm: OAEP-SHA224 signing_algorithm: PKCS1v15-SHA224Clear Keys: If the minion still fails after the configuration change, clear the minion's accepted key on the master and delete the local PKI directory on the minion to force a fresh handshake.
Additional Information
Feedback
