Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Josh Cooper Fix Version/s: PUP 5.4.0 Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Geoff Nichols Team: Platform Core Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Adrien Thebo assigned an issue to Unassigned Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Adrien Thebo Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Jayant Sane That's good news! I just double checked on one of my systems and the updates to openssl do indeed seem to support 4096 bit keys. However, this will not be compatible with all versions of EL6 and EL7 since I know for a fact that they used to die on 4096 bit keys. Ideally, you would try for 4096 and then either step it down to something that works or just provide a helpful error message. Personally, I would step it down if possible. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Jayant Sane commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems I seem to be able to generate & use 4k key/cert fine on Centos 6 in fips mode. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Jayant Sane The 2048, 3072, and 15360 key sizes were found by trial and error based on the FIPS documentation and an understanding of the standard key sizes. 4096 may work on EL7, but check EL6 as well. They may have updated both, and that would be nice, but you're going to be in a bit of a bind if you end up with different systems that support different settings based on patch-level. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Jayant Sane commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Hi Trevor Vaughan Could you pl point me to the FIPS 140-2 spec you are referring to that lists the allowed & approved RSA key (modulus) sizes - 2048, 3072 and 15360? It seems to me anything equal or above 2048 bit would be allowed. Approved is a different story as the modulus sizes appear to depend on things when using auxiliary primes or size of AES key being transport using the RSA key. I am likely not very informed here so may be confusing things. On a side note, I noticed agent is able to do signature verification of CA certificate of 4096 bit key size when running in FIPS mode. Am assuming you may have observed the same. I was also able to generate a 4096 bit (default size) key/certificate for an agent running on a centos7 in FIPs mode. It appeared to be in FIPS (sysctl crypto.fips_enabled comes back true|1) as it disallowed use of md5. So wanted to clarify allowed and approved key sizes. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Moses Mendoza Labels: DOCS triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Rob Lucke updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Rob Lucke Labels: DOCS triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems You know, I didn't even check the date (obviously) :-D. So, from what I can tell, for both PE and POSS, setting the keylength and utilized algorithms make is work out of the box. Hmm...now that I think of it, I do set my client settings at kickstart time so it's probably why I've never seen this issue. Client/server cipher negotiation seems like something that should be handled by the client and server automatically. However, if the client is built in FIPS mode (and if you're in a FIPS environment, you're probably doing this), then it would all start correctly as well. But yes, Puppet (And PE) operate just fine in FIPS mode but I actually didn't realize about the serve and client not playing nicely together since I bootstrap everything into compatible modes. I do think that the Puppet server should be enhanced to allow the client to discover what modes are compatible on the server side. In terms of the Fact, I'll stand by my statement that FIPS and SELinux have both been in play, at the kernel level, for a LONG time and should be given equal treatment in Facter. Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Adrien Thebo commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Hi Trevor, I think you got pinged on this ticket when we updated the assignee; my earlier comment was made back in 2014. You'll have to give me a few moments to context switch back, so this response might be a bit disjointed. In addition I've got a pretty horrible memory and I'm trying to remember decisions we made back in 2014, and given that I have pretty bad memory I might be off base with a few comments - if I'm misremembering things please let me know. First off, I'm interested in what it takes to run Puppet in the SIMP stack and what configuration options you have to change to make Puppet work. The keylength is one, I assume that digest_algorithm is another, but are there any other Puppet settings that you need to change by default that the FIPS mode detection should take into consideration? Second, and this may be totally wrong because my memory is pretty horrid, is that we were a bit reluctant to move on this ticket because of the dependency on FACT-698 . At the time I believe we were contending with fact sprawl in Facter 2 and we were trying to curate facts such that we weren't shipping a lot of facts that were only used by a small percentage of the Puppet user base. I think that we could drop this dependency in Puppet by using a Puppet feature to detect FIPS mode, which might remove this concern. Alternately we might have a different policy for what facts get merged into core Facter these days, so it might be worth investigating this a bit. I think my concern with this issue is that we could fix this one case and have Puppet change the default keylength, but because a number of other settings would have incorrect default values this by itself wouldn't be helpful. If this issue was solved with the intent to fix the other issues around FIPS mode then I would be more enthusiastic about making this change, but I believe that in 2014 I was reluctant to add partial fixes for FIPS but wouldn't actually make Puppet work with FIPS mode out of the box. This concern is why I raised point 1 - what fixes do we need to make along with the keylength to make Puppet automatically work in FIPS mode? Expanding on the completeness of the FIPS mode, in my previous comment I mentioned that the digest_algorithm needed to automatically switch to use SHA256, but we couldn't necessarily do this because the Puppet master and agent must be updated to use SHA256 in lockstep. If we had a master still using MD5 for file checksumming but the agent automatically switched to using SHA256, the agent wouldn't get a SIGABRT by trying to use MD5 but wouldn't be able to talk to the master and retrieve files because the file checksums in Puppet master metadata response would be unusable by the agent. So I think this is the point I was trying to make about FIPS mode in general - in this specific scenario we might have a well behaved agent that's switching features to work in FIPS mode that's still completely inoperable because it doesn't match the configuration of the master. I believe that this scenario is what's described in PUP-4329. So to be clear - I fully believe you when you say that Puppet can operate in FIPS mode. I also think that we should change Puppet such that it can detect that it's running in FIPS mode and will behave correctly. The issues that I'm concerned about are all solvable issues.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems A quick follow up...yeah, fqdn_rand needs to be fixed but that's probably a separate ticket. Also, if that's implemented in pure Ruby, it won't be affected. Not sure at this time. Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Hi Adrien, Yes, there are other issues that you need to be aware of and the documentation should cover exactly one of them: If you bootstrap your environment in non-FIPS mode, you're going to have to re-key. This is 100% true. It is, in fact, easy to run your entire Puppet stack FIPS enabled, as we do it in the SIMP stack, in a fully automated fashion. FIPS mode can be detected, items that can be detected should be automated, any system running against NIST 800-53, or based on NIST 800-53 without alteration, must run in FIPS mode. That's a lot of people (whether they know it or not). It's also easy to detect if you've already been bootstrapped, you have keys. Therefore, upgrades are safe. All new systems would be FIPS ready if selected at configuration time or the system is in FIPS mode. All legacy systems can easily be checked and ignore the FIPS settings. Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Eric Sorenson assigned an issue to Adrien Thebo Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Eric Sorenson Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Adrien Thebo commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Defaulting the RSA key length to 2048 bit keys only helps when generating the initial CA, but this only simplifies the initial generation and does not deal with a host of other issues. If the Puppet CA infrastructure is bootstrapped with FIPS mode disabled and FIPS mode is subsequently enabled, then Puppet will never be able to run anyways. Resolving this would require re-keying the entire CA infrastructure. Beyond that, there are a number of other issues with running Puppet on FIPS enabled systems. First off, we use MD5 for checksumming files, files are filebucketed based on the MD5 of the file content, and we have the md5sum parser method, the fqdn_rand method uses Digest::MD5.hexdigest. To make Puppet work on FIPS enabled systems you need to take these things into account, and in the case of filebucketing it's not possible to roll out the change to the digest_algorithm setting via Puppet. Since Puppet requires manual configuration to make FIPS mode work correctly I think we should treat this as a documentation issue rather than try to patch it in the code. Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems No, no helpful messages are output. Since this is enforced at a very low level, there's no way to know what's going on without checking the system and, if you're going to do that, why not just use the custom fact (or repeat it in the code I suppose). The most you can really do is to try to do the following OpenSSL::PKey::RSA.new(4096) and see if it explodes. If so, it MIGHT be FIPS, or it might not The only correct method that I could figure out is the one that I put out the PR for that relies on the custom fact. It looks like FIPS mode was added to the kernel core around 2008 from digging through the Git tree so if SELinux is in, this really should be too as a core component that can destroy multiple aspects of a system and/or require apps to be reconfigured to work with it. My preference is still to fix the issue and let the user know you're doing it instead of just telling them to update their config file by hand. Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Nicholas Fagerlund commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems In that case I think I agree with Trevor's approach. Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Nicholas Fagerlund commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Kylo Ginsberg The only sufficient docs for this would be just-in-time docs. (Explanation in keylength setting: no one will go looking there. Explanation in install guide: clogs up guide with irrelevant info and degrades experience for all non-FIPS users. Explanation in troubleshooting page where info goes to die: no one will go looking there. Explanation in separate FIPS page: no one will go looking there.) Anyway, when we fail to generate initial certificates due to FIPS being enabled, we should, AT THAT TIME, emit a message explaining what happened and pointing at the keylength setting. What is the current symptom of this failure? We should change that symptom to be explicit and helpful. That's the solution I'd be satisfied with. Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede)
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems OpenSSL will segfault if puppet tries to use a non-FIPS compatible keylength on a FIPS enabled system, which is part of the problem... you can't deploy puppet and then try to use puppet to manage the keylength setting. It has to set correctly to start with... Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Yeah, this is why I finally decided to patch it instead of a doc update. Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Nicholas Fagerlund commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Does OpenSSL at least crash with an informative message? Can we do anything after OpenSSL crashes and tell the user what might be up? Can we detect what's up before OpenSSL crashes and give a message then? Anyway, my answer about addressing this in docs stands: we can put something on the website and say we technically did something, but we can't put something on the website and say it solves the problem. Users won't know to even check the docs unless they get a clear signal about what just happened to them. Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Kylo Ginsberg commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Nicholas Fagerlund what do you think about addressing this in docs as Trevor Vaughan suggested on 20/Aug14? Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems PR Added at https://github.com/puppetlabs/puppet/pull/3044 Requires Facter update from FACT-698 Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan created an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Issue Type: Bug Affects Versions: 3.6.2, 2.7.25 Assignee: Andy Parker Components: Server Created: 20/Aug/14 12:53 PM Environment: Any system that is FIPS enabled at boot time. Priority: Normal Reporter: Trevor Vaughan FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Trevor Vaughan you should be able to specify the key length using the keylength puppet setting. It defaults to 4096, but can be set as needed. If that works for you, please close this ticket. Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Josh Cooper Assignee: AndyParker TrevorVaughan Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Trevor Vaughan commented on an issue Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Yes, that works fine and is how I currently resolve the issue. Could I change this to a documentation bug then with a note that, on FIPS enabled systems, keylength must be set to 2048? Add Comment Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems FIPS 140-2 does not allow for the use of 4096 bit keys. Therefore, the initial certificate generation of a key using a key length 2048 bits will fail. Any system that is FIPS enabled, should use a 2048 bit key when generating the initial CA and server certificates. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Josh Cooper Assignee: TrevorVaughan NicholasFagerlund Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper updated an issue Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Josh Cooper Labels: DOCS Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Josh Cooper assigned an issue to Josh Cooper Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Josh Cooper Assignee: NicholasFagerlund JoshCooper Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
