Issue #13435 has been updated by Michael Smith.
Thanks, it's really nice to see the switch from MD5/SHA1 to SHA256. By the way, I was concerned with the CSR signature. The CSR signature is used for proof-of-possession of the private key. The fingerprint/digest is just a hash of the whole CSR including signature. I couldn't find the place where the server verifies the CSR signature. I think that's because it doesn't check. I can open a separate bug for that; it's not really critical when the cert is just used for Puppet authentication, but it becomes important if people are using the certs for other purposes. ---------------------------------------- Feature #13435: CSRs should be signed with SHA1, not MD5 https://projects.puppetlabs.com/issues/13435#change-59052 Author: Michael Smith Status: In Topic Branch Pending Review Priority: Normal Assignee: Jeff Weiss Category: SSL Target version: Affected Puppet version: 2.6.12 Keywords: Branch: https://github.com/puppetlabs/puppet/pull/616 The code in certificate_authority.rb uses SHA1 to issue certs, but the CSR generation code in certificate_request.rb signs the CSR using "csr.sign(key, OpenSSL::Digest::MD5.new)". I might be naive, but I figure this could be changed to SHA1 and get Puppet one step closer to working in FIPS mode (#8120). I couldn't find the spot in the CA code where the CSR signature is actually verified. I suppose the CA should probably check the CSR is signed using a recommended algorithm, but FIPS mode would take care of disabling other algorithms anyway so I'm not particularly worried. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
