Issue #13435 has been updated by eric sorenson.
Seems like if we're headed towards option 2 and have gone through all the work to discern whether, and emit a warning if, the CSR is md5-signed, we might as well print it out correctly too as in option 1 -- and it's not really an error to have old clients, it's supposed to be supported. So IMO option 1 is a pretty clear winner. ---------------------------------------- Feature #13435: CSRs should be signed with SHA1, not MD5 https://projects.puppetlabs.com/issues/13435#change-70943 Author: Michael Smith Status: Code Insufficient Priority: Normal Assignee: Patrick Carlisle Category: SSL Target version: 3.0.0 Affected Puppet version: 2.6.12 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/616 The code in certificate_authority.rb uses SHA1 to issue certs, but the CSR generation code in certificate_request.rb signs the CSR using "csr.sign(key, OpenSSL::Digest::MD5.new)". I might be naive, but I figure this could be changed to SHA1 and get Puppet one step closer to working in FIPS mode (#8120). I couldn't find the spot in the CA code where the CSR signature is actually verified. I suppose the CA should probably check the CSR is signed using a recommended algorithm, but FIPS mode would take care of disabling other algorithms anyway so I'm not particularly worried. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
