Issue #6663 has been updated by Daniel Pittman. Status changed from Accepted to In Topic Branch Pending Review
Daniel Pittman wrote: > It doesn't address any of the checksum changes, which we have substantial > compatibility issues around since they are passed without reference to type > in most of the code, and where we can't just drop older clients. The ticket > is remaining open as a consequence. Scratch that; #8120 already captures the hash issue, so this can close off and that ticket take over that role. If you also care about the problem of using the MD5 hash, please watch that ticket also. ---------------------------------------- Bug #6663: puppet.conf says keylength defaults to 1024 -- should be 2048 https://projects.puppetlabs.com/issues/6663#change-54778 Author: micah - Status: In Topic Branch Pending Review Priority: High Assignee: Category: SSL Target version: 2.7.x Affected Puppet version: Keywords: Branch: https://github.com/puppetlabs/puppet/pull/498 puppet.conf(5) says that the keylength parameter defaults to 1024 bits for new RSA keys. It should default to 2048, not 1024, there are a number of reasons for this: * many free software crypto tools are defaulting to 2048-bit keys now (e.g. OpenSSH, GnuPG) * NIST has recommended avoiding reliance on 1024-bit keys after the end of 2010 * you can compare other comparable standards at http://keylength.com/ Considering that generated certificates are expected to be around for at least the lifetime of the server itself, setting a reasonable bit-length key from the beginning is pretty important, especially if the server might be expected to be around for some years from now... You might argue that this is a feature request, but I would like to pre-empt that argument. Now that we are well beyond the NIST recommendation, this is a bug now days. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
