Issue #13435 has been updated by Moses Mendoza. Status changed from Merged - Pending Release to Closed
released in 3.0.0-rc7 ---------------------------------------- Feature #13435: CSRs should be signed with SHA1, not MD5 https://projects.puppetlabs.com/issues/13435#change-71888 Author: Michael Smith Status: Closed Priority: Normal Assignee: Patrick Carlisle Category: SSL Target version: 3.0.0 Affected Puppet version: 2.6.12 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/1172 The code in certificate_authority.rb uses SHA1 to issue certs, but the CSR generation code in certificate_request.rb signs the CSR using "csr.sign(key, OpenSSL::Digest::MD5.new)". I might be naive, but I figure this could be changed to SHA1 and get Puppet one step closer to working in FIPS mode (#8120). I couldn't find the spot in the CA code where the CSR signature is actually verified. I suppose the CA should probably check the CSR is signed using a recommended algorithm, but FIPS mode would take care of disabling other algorithms anyway so I'm not particularly worried. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
