Please review pull request #498: Bug/2.7.x/6663 increase default key length opened by (daniel-pittman)
Description:
The CA key length was lower than it should be - 1024 bits is no longer secure
enough for real world use. This raises both client and CA certs to use 4096
bit keys. Those are slow, but effective for long term security.
People who know enough to decide that the trade-off of speed vs limited window
of security can still totally reduce the size of the key without much trouble,
but we default to being more cautious.
This also pegs the key lengths low in testing, since building a 4K key is
awful slow if you want to do it time and time again over the course of dozens
of tests.
Signed-off-by: Daniel Pittman [email protected]
- Opened: Wed Feb 15 01:04:58 UTC 2012
- Based on: puppetlabs:2.7.x (b9655fea47c5eefaa6f4768b750e634aeb063aca)
- Requested merge: daniel-pittman:bug/2.7.x/6663-increase-default-key-length (50082e3f5d3d5291252d54d0eb6fb163084f26f8)
Diff follows:
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 71d04df..4fb92c8 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -435,8 +435,8 @@ module Puppet
is set, ca_days is ignored. Examples are '3600' (one hour)
and '1825d', which is the same as '5y' (5 years) "],
:ca_md => ["md5", "The type of hash used in certificates."],
- :req_bits => [2048, "The bit length of the certificates."],
- :keylength => [1024, "The bit length of keys."],
+ :req_bits => [4096, "The bit length of the certificates."],
+ :keylength => [4096, "The bit length of keys."],
:cert_inventory => {
:default => "$cadir/inventory.txt",
:mode => 0644,
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index d5beddb..1a3dba2 100755
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -70,6 +70,17 @@ module PuppetSpec
# I suck for letting this float. --daniel 2011-04-21
Signal.stubs(:trap)
+ # Longer keys are secure, but they sure make for some slow testing - both
+ # in terms of generating keys, and in terms of anything the next step down
+ # the line doing validation or whatever. Most tests don't care how long
+ # or secure it is, just that it exists, so these are better and faster
+ # defaults, in testing only.
+ #
+ # I would make these even shorter, but OpenSSL doesn't support anything
+ # below 512 bits. Sad, really, because a 0 bit key would be just fine.
+ Puppet[:req_bits] = 512
+ Puppet[:keylength] = 512
+
# Set the confdir and vardir to gibberish so that tests
# have to be correctly mocked.
Puppet[:confdir] = "/dev/null"
diff --git a/test/lib/puppettest/certificates.rb b/test/lib/puppettest/certificates.rb
index 34da6da..a1d8a77 100644
--- a/test/lib/puppettest/certificates.rb
+++ b/test/lib/puppettest/certificates.rb
@@ -17,6 +17,10 @@ def mkPassFile()
end
def mkCA
+ # The defaults make tests that consume this very slow.
+ Puppet[:req_bits] = 512
+ Puppet[:keylength] = 512
+
ca = nil
assert_nothing_raised {
ca = Puppet::SSLCertificates::CA.new
@@ -26,6 +30,10 @@ def mkCA
end
def mkStore(ca)
+ # The defaults make tests that consume this very slow.
+ Puppet[:req_bits] = 512
+ Puppet[:keylength] = 512
+
store = OpenSSL::X509::Store.new
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
@@ -35,6 +43,10 @@ def mkStore(ca)
end
def mkcert(hostname)
+ # The defaults make tests that consume this very slow.
+ Puppet[:req_bits] = 512
+ Puppet[:keylength] = 512
+
cert = nil
assert_nothing_raised {
cert = Puppet::SSLCertificates::Certificate.new(:name => hostname)
@@ -45,6 +57,10 @@ def mkcert(hostname)
end
def mksignedcert(ca = nil, hostname = nil)
+ # The defaults make tests that consume this very slow.
+ Puppet[:req_bits] = 512
+ Puppet[:keylength] = 512
+
ca ||= mkCA()
hostname ||= "ttltest.example.com"
diff --git a/test/lib/puppettest/servertest.rb b/test/lib/puppettest/servertest.rb
index 8248300..580f4b0 100644
--- a/test/lib/puppettest/servertest.rb
+++ b/test/lib/puppettest/servertest.rb
@@ -31,6 +31,10 @@ def mktestmanifest
# create a server, forked into the background
def mkserver(handlers = nil)
+ # The defaults make for very slow tests.
+ Puppet[:req_bits] = 512
+ Puppet[:keylength] = 512
+
Puppet[:name] = "puppetmasterd"
# our default handlers
unless handlers
-- You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
