Hi Andy,
On Wednesday, January 9, 2013 11:15:09 AM UTC+11, Andy Parker wrote:
>
>
> It is as ambitious as you want it to be :) I've found all of the
> certification handling stuff pretty hard to follow, so I would be all ears
> on what we could do to make it work better/be more consistent/be easier to
> use.
>
I think we should break it into a bugfix and a refactor/feature add.
Bug #17295 is a big problem that makes puppet v3 essentially unusable on
HP-UX unless you compile your own OpenSSL. This is because the HP Porting
Archive version of OpenSSL doesn't seem to support SHA256 (at least doesn't
on my 11.23 boxes). But we can fix #17295 fairly easily and quickly in
line with the proposal above in this thread.
A separate redmine could track a refactor/feature add. It seems to me that
the default hashing algorithm should be in defaults.rb. Indeed, I see
there are some defaults there that aren't used - e.g.
:ca_md => {
:default => "md5",
:desc => "The type of hash used in certificates.",
},
-bash-3.2$ grep -r :ca_md lib/
lib/puppet/defaults.rb: :ca_md => {
Then, I still think, after seeking guidance from the design of the openssl
command itself, that to avoid violating the Principle of Least Surprise we
ought to reuse --digest -- unless someone can think of a weird situation
where you'd want to use one algorithm for fingerprinting and another for
signing a certificate and somehow do these two things simultaneously. I
can't think how that would happen.
Thus from man 1 dgst we get the usage of openssl dgst -
SYNOPSIS
openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c]
[-d] [-hex] [-binary] [-out filename] [-sign filename] [-passin arg]
[-verify filename] [-prverify filename] [-signature filename]
[file...]
E.g. I want a fingerprint and am happy with the default hashing algorithm -
# openssl dgst /var/lib/puppet/ssl/public_keys/myhost.example.com.pem
MD5(/var/lib/puppet/ssl/public_keys/myhost.example.com.pem)=
ca4ad42cbc8c0f31618a9e316509df13
or I want a SHA1 fingerprint -
# openssl dgst -sha1 /var/lib/puppet/ssl/public_keys/myhost.example.com.pem
SHA1(/var/lib/puppet/ssl/public_keys/myhost.example.com.pem)=
663ea11d9f66d5705b67e393a02226b0d883fde2
or I want to sign my cert using SHA1 -
# openssl dgst -sha1 -sign somefile.csr -out somefile.pem
So how does all this sound?
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-dev/-/bYh_cg3tDGYJ.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
