Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: Maggie Dreyer Fix Version/s: PUP 6.0.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: Maggie Dreyer Team: Platform Core Server Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Maggie Dreyer assigned an issue to Unassigned Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: Maggie Dreyer Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Maggie Dreyer commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time As we are adding our new agent-side certificate code in place, with the new HTTP client, we should verify that this gets fixed. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Jayant Sane commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time Is this the latest status or any changes since? Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Adrien Thebo commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time I believe https://github.com/adrienthebo/puppet/tree/revert-pup-7283 was the last branch that touched this. There were some issues with acceptance tests that caused this to be rejected, it just needs a bit of work to chase down the last issues. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Bill Weiss commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time I hear from Adrien Thebo that this code might be mostly written. Could be neat. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Jayant Sane commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time Also, if not redundant, some qualification on the severity. If the attacker (insider) is in a position to manipulate DNS and bring up a server on the same network then the environment is already sufficiently compromised and attacker would be in a position to mount more serious attacks. This still does not justify agent not verifying master's certificate when it is in a position to do so. I will check with Adrien on what he had attempted and will look into it but as mentioned might take me a while. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Jayant Sane commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time The concern/issue is valid. As some others have noted, this has existed for some time and had also come up independently during threat modeling + security review of SSL certificates boot strapping flow. Unlike the case of the very first connection attempt to retrieve CA certificate which could be insecure in some cases, there is no good reason for the puppet agent to NOT verify master's certificate when it has a CA certificate downloaded/established. There are some ways to reduce the risk for downloading arbitrary (malicious) CA certificates by making the expected CA certificate fingerprint available during agent install. Adrien had attempted resolving this a couple of weeks back but it seems he was not successful given the intricacies and peculiarities of the openssl's workings. However I am not sure if I should be assigned to this as I am not a developer per se and am not very familiar with the mechanics of the implementation and can take me inordinately long given some other priorities/tasks on my plate. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: Moses Mendoza Labels: redmine triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte assigned an issue to Jayant Sane Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: John Duarte Assignee: John Duarte Jayant Sane Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time Given the steps outlined by the original poster, this behavior is still present in recent puppet builds. Jayant Sane, can you review this for security concerns? Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: John Duarte Labels: needs_repro redmine triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time John Duarte please verify this is still an issue with recent version(s) Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: John Duarte Labels: redmine triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte assigned an issue to John Duarte Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: John Duarte Assignee: Adrien Thebo John Duarte Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: John Duarte Labels: needs_repro redmine triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title John Duarte updated an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: John Duarte Team: Agent Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title David Lutterkort assigned an issue to Adrien Thebo Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Change By: David Lutterkort Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title redmine.exporter created an issue Puppet / PUP-1935 puppetd ignores local ca.pem when connecting to master for the first time Issue Type: Bug Assignee: Unassigned Created: 13/Mar/14 1:37 PM Labels: redmine Priority: Normal Reporter: redmine.exporter Hi, I have a clean machine, with only puppet.conf configured (using --genconfig) and /etc/puppet/ssl/certs/ca.pem. I now run for the first time puppetd and connect to a server that has a different CA. I believe the expected behavior should be that puppetd will abort the connection because it connects to an unauthorized server. Instead, puppetd continues to communicate with the unauthorized master and generates a new certificate request. Unless I'm mistaken, this scenario could lead to a security breach: if an attacker gains control over the DNS, it can redirect new machines to its own malicious master. The master will make the node install a rootkit for example. Afterwards the attacker will redirect the DNS back to the original master. The node will then retrieve from the original (unsuspecting) master sensitive information, information that now the attacker can access. I'm running puppet version 2.6.2. Thanks, Tal
