On Monday, July 24, 2017 at 9:26:39 AM UTC-5, nan meng wrote: > > 1. Version: > > Puppet: 4.10.4 > > Puppet server: 2.7.2 > > Puppet Agent: I do not use agent to do test. > > OS: Ubuntu 64-desktop 16.04 > > Openssl: 1.0.2g >
2. There is not any none default configuration. > > 3. Test command: openssl s_client -connect puppet:8140 ##puppet is the > hostname of master. > > 4. There is not log from puppet, that is why I capture packet. > > 5. Use wireshark, Menu->Analyze->Decode As, TCP, choose SSL, the result > is decode as SSL. > > > As I said in response to your previous message, merely connecting to the Puppet server without a certificate does not in itself indicate a flaw. I was perhaps not clear enough in that previous response that Puppet allows SSL connections without a client certificate in order to service certificate-signing requests, as Michael has now clarified as well. It would constitute a bug if an untrusted client -- whether a Puppet agent or something else -- were able to obtain a catalog or other secure data from the master, but you have not demonstrated such an issue as far as I can determine. Simply accepting a connection without authentication via client certificate does not demonstrate Puppet disclosing secure data to an untrusted client, nor is it an indication that a client successfully establishing such a connection could obtain such data. I still see no reason to believe that the behavior you describe is flawed or that it requires fixing. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f2e82476-1a61-4fc7-896d-94b053c4091e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
