Issue #6663 has been updated by Josh Cooper. Status changed from In Topic Branch Pending Review to Code Insufficient
Hi James, from the puppet-dev discussion [http://groups.google.com/group/puppet-dev/browse_frm/thread/415f43b03d328efd/c897d70e0185e23d](http://groups.google.com/group/puppet-dev/browse_frm/thread/415f43b03d328efd/c897d70e0185e23d): `Telly must support RHEL4, as PE supports RHEL4.` And: `RHEL4, which has a version of OpenSSL old enough that SHA256 wasn't supported upstream. Given that we know the Ruby OpenSSL bindings to fail, rather than anything else, if you ask for an algorithm that doesn't exist in the underlying libraries` I don't believe the code as it currently exists can be merged. However, we should be able to programmatically check which digests the underlying openssl provider supports and select appropriate defaults, e.g. <pre> :ca_md => [ defined?(OpenSSL::Digest::SHA256) ? "sha256" : "md5", "The type of hash used in certificates."], </pre> Before making such a change though we should verify that calling defined?(OpenSSL::Digest::SHA256) on an older RHEL4 box doesn't segfault. ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663 Author: micah - Status: Code Insufficient Priority: Urgent Assignee: Category: SSL Target version: 2.7.x Affected Puppet version: Keywords: Branch: https://github.com/jamtur01/puppet/commit/b929aa19330bab42421190e60099ac2406f975c3 puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
