Issue #13435 has been updated by Patrick Carlisle.
To clarify: A puppet agent running 2.7 will still sign a cert with md5, and on that agent will display an md5 fingerprint. The master running 3.0 will display the sha256 fingerprint without any hint that it's using a different algorithm, and it will appear not to match. Some options: 1) default to using the algorithm that the csr was signed with (md5 on 2.7 agents, sha256 on newer ones), possibly using different algorithms for different certs in the output of cert list 2) default to showing sha256 fingerprints, but print a warning if a cert was signed with md5 3) nothing I think in all cases the output should at least mention the digest being used. ---------------------------------------- Feature #13435: CSRs should be signed with SHA1, not MD5 https://projects.puppetlabs.com/issues/13435#change-70931 Author: Michael Smith Status: Code Insufficient Priority: Normal Assignee: Patrick Carlisle Category: SSL Target version: 3.0.0 Affected Puppet version: 2.6.12 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/616 The code in certificate_authority.rb uses SHA1 to issue certs, but the CSR generation code in certificate_request.rb signs the CSR using "csr.sign(key, OpenSSL::Digest::MD5.new)". I might be naive, but I figure this could be changed to SHA1 and get Puppet one step closer to working in FIPS mode (#8120). I couldn't find the spot in the CA code where the CSR signature is actually verified. I suppose the CA should probably check the CSR is signed using a recommended algorithm, but FIPS mode would take care of disabling other algorithms anyway so I'm not particularly worried. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
