On Wed, Jan 9, 2013 at 5:47 AM, Alex Harvey <alexharv...@gmail.com> wrote:
> Hi Andy,
> On Wednesday, January 9, 2013 11:15:09 AM UTC+11, Andy Parker wrote:
>>
>>
>> It is as ambitious as you want it to be :) I've found all of the
>> certification handling stuff pretty hard to follow, so I would be all ears
>> on what we could do to make it work better/be more consistent/be easier to
>> use.
>>
>
> I think we should break it into a bugfix and a refactor/feature add.
>
> Bug #17295 is a big problem that makes puppet v3 essentially unusable on
> HP-UX unless you compile your own OpenSSL. This is because the HP Porting
> Archive version of OpenSSL doesn't seem to support SHA256 (at least doesn't
> on my 11.23 boxes). But we can fix #17295 fairly easily and quickly in
> line with the proposal above in this thread.
>
>
I think that split sounds reasonable. Fix the immediate problem, and then
work toward something better.
> A separate redmine could track a refactor/feature add. It seems to me
> that the default hashing algorithm should be in defaults.rb. Indeed, I see
> there are some defaults there that aren't used - e.g.
>
> :ca_md => {
> :default => "md5",
> :desc => "The type of hash used in certificates.",
> },
>
> -bash-3.2$ grep -r :ca_md lib/
> lib/puppet/defaults.rb: :ca_md => {
>
>
Yeah, we've been finding these things. There are quite a few settings that
are defined in there, but don't actually get used. Josh and I were looking
into some of those, and I just had a conversation with him about signing
and such with SSL. There are intricacies in there that I'm not fully
familiar with, so I'll let him chime in on some of that.
However, I think what you have said makes sense. Can you convert the
examples that you give below to the equivalent puppet commands so that we
can all be clear on what you are proposing for changes to the puppet
commands?
> Then, I still think, after seeking guidance from the design of the openssl
> command itself, that to avoid violating the Principle of Least Surprise we
> ought to reuse --digest -- unless someone can think of a weird situation
> where you'd want to use one algorithm for fingerprinting and another for
> signing a certificate and somehow do these two things simultaneously. I
> can't think how that would happen.
>
> Thus from man 1 dgst we get the usage of openssl dgst -
>
> SYNOPSIS
> openssl dgst [-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1] [-c]
> [-d] [-hex] [-binary] [-out filename] [-sign filename] [-passin arg]
> [-verify filename] [-prverify filename] [-signature filename]
> [file...]
>
> E.g. I want a fingerprint and am happy with the default hashing algorithm -
>
> # openssl dgst /var/lib/puppet/ssl/public_keys/myhost.example.com.pem
> MD5(/var/lib/puppet/ssl/public_keys/myhost.example.com.pem)=
> ca4ad42cbc8c0f31618a9e316509df13
>
> or I want a SHA1 fingerprint -
>
> # openssl dgst -sha1 /var/lib/puppet/ssl/public_keys/myhost.example.com.pem
> SHA1(/var/lib/puppet/ssl/public_keys/myhost.example.com.pem)=
> 663ea11d9f66d5705b67e393a02226b0d883fde2
>
> or I want to sign my cert using SHA1 -
>
> # openssl dgst -sha1 -sign somefile.csr -out somefile.pem
>
> So how does all this sound?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-dev/-/bYh_cg3tDGYJ.
>
> To post to this group, send email to puppet-dev@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-dev+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-dev?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
