On Tuesday, July 18, 2017 at 10:36:17 AM UTC-5, nan meng wrote: > > Hi all, > > I have tested puppet with version 4.1 and 2.x, found that if an agent > connect master without certification, the connection still can be > established. > I think it is not reasonable. Because if agent connect with an wrong > certification the connection will be refused. >
Merely connecting does not necessarily imply normal or successful operation. The Puppet catalog request process requires master and agent to authenticate to each other via cryptographic certificate. This has been a Puppet foundational principle forever, or at least since before I started using Puppet way back at version 0.24. If indeed you can show that a Puppet agent is able to obtain a catalog from a Puppet master without presenting a certificate that the master is willing to trust, or at least presenting a certificate-signing request that the master is willing to honor, then you have identified a serious flaw. I'm not yet prepared to believe that you have done that. > Does anyone know how to fix it? > It's not clear to me that anything is broken. > the attachment is packet captured using tcpdump. It can prove what I have > said. > I'm not sure what, exactly, your capture proves. I see a TCP connection being established from a client to a server running on Puppet's standard port, 8140, at a different IP address. I see some binary data being exchanged, and then the connection being closed at both ends. But my protocol analyzer does not recognize the the protocol of the conversation, and certainly it does not recognize it as SSL / TLS. Who knows what the exchange actually means, or whether it is problematic? If you want me to believe that you have discovered a bug -- or indeed if you want help with a solution or workaround -- then you'll need to present enough information to replicate the problem. That includes some or all of the following: - Specific versions of agent and master - Operating system and version on which each is running - All non-default configuration properties on each side - A manifest set and any other needed server-side data (ideally a single, trivial manifest if that is indeed sufficient) - The specific puppet agent command issued (which should include the --debug or --test flag) - The corresponding console and/or log output from the agent, and maybe also from the master. All software has bugs, but I anticipate that you will find Puppet to be operating as intended in this particular area. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/533778aa-6516-441a-8eb6-2e4a2a6173fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
