Issue #13435 has been updated by Jeff Weiss.
>From what I can tell in the signing code, there's no explicit verification of >the fingerprint of the CSR that's generated on the agent to what appears on >the master. I believe that what is going on is that the agent generates a csr, fingerprints it, and displays it, so that when you run puppet cert list on the master you can say, "Yep. that fingerprint matches." As it stands you can currently run <code> <pre> puppet cert list --digest sha1 </pre> </code> Changing lib/puppet/ssl/certificate_authority/interface.rb from :MD5 to :SHA1 will alter the default digest for <code>puppet cert list</code>. I ran this scenario: ### Master ### * PE 2.0.1 * Signing code unchanged ### Agent ### * PE 2.0.1 * Signing code changed from MD5 to SHA1 <code> <pre> [Agent]# puppet agent --test ... fingerprint (sha1) ... [Master]# puppet cert sign agent1.localdomain [Agent]# puppet agent --test </pre> </code> Result: successful agent communication ---------------------------------------- Feature #13435: CSRs should be signed with SHA1, not MD5 https://projects.puppetlabs.com/issues/13435#change-59034 Author: Michael Smith Status: Accepted Priority: Normal Assignee: Jeff Weiss Category: SSL Target version: Affected Puppet version: 2.6.12 Keywords: Branch: The code in certificate_authority.rb uses SHA1 to issue certs, but the CSR generation code in certificate_request.rb signs the CSR using "csr.sign(key, OpenSSL::Digest::MD5.new)". I might be naive, but I figure this could be changed to SHA1 and get Puppet one step closer to working in FIPS mode (#8120). I couldn't find the spot in the CA code where the CSR signature is actually verified. I suppose the CA should probably check the CSR is signed using a recommended algorithm, but FIPS mode would take care of disabling other algorithms anyway so I'm not particularly worried. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
