On Thursday, January 10, 2013 5:58:02 AM UTC+11, Andy Parker wrote: > > > Yeah, we've been finding these things. There are quite a few settings that > are defined in there, but don't actually get used. Josh and I were looking > into some of those, and I just had a conversation with him about signing > and such with SSL. There are intricacies in there that I'm not fully > familiar with, so I'll let him chime in on some of that. > > However, I think what you have said makes sense. Can you convert the > examples that you give below to the equivalent puppet commands so that we > can all be clear on what you are proposing for changes to the puppet > commands? >
The only change to puppet's functionality would be to connect --digest wherever applicable to override the default algorithm of SHA256. The help pages and online documentation will need to be updated too and I'm happy to do that. Thus the following are the proposed new uses for --digest - 1) puppet agent -t [ --digest DIGEST ] An initial certificate signing request from a client will allow digest to be optionally specified. Although the option 'puppet agent --digest DIGEST' already exists it currently doesn't do anything unless used in conjunction with --fingerprint. So this new usage is in addition to the existing usage via 'puppet agent -t --fingerprint [ --digest DIGEST ]'. Note that currently when SHA256 doesn't exist we get the following - # puppet agent -t --fingerprint Error: Could not run: Unsupported digest algorithm (SHA256). For overall consistency I would propose to fix this behaviour too (which seems to be again an error coming from OpenSSL itself and not Puppet) such that puppet always tries SHA1 after trying SHA256 even when just computing a fingerprint. It would seem rather ugly to have it otherwise. 2) puppet ca generate [ --digest DIGEST ] # same as the above except done via puppet ca. 3) puppet cert generate [ --digest DIGEST ] # same as the above. 4) puppet cert --sign CERTIFICATE [ --digest DIGEST ] # digest algorithm to use when signing a certificate. Meanwhile I think 'puppet certificate_request' and 'puppet certificate_revocation_list' subcommands are broken. At least they don't seem to do what the man pages say they will do - # puppet cert list "myhost.example.com" (SHA1) 97:68:B9:0B:B1:E7:05:A9:03:12:3D:C6:1B:38:8C:6A:6C:B1:D1:F2 # # puppet certificate_request search myhost.example.com # # puppet certificate_revocation_list search myhost.example.com Error: Could not call 'search' on 'certificate_revocation_list': can't convert nil into String Error: Could not call 'search' on 'certificate_revocation_list': can't convert nil into String Error: Try 'puppet help certificate_revocation_list search' for usage # Likewise the 'puppet certificate' subcommand doesn't seem to be fully implemented either. Thus, (1) to (4) above seem to be extent of the proposed changes as well as extending the internal default behaviour to be the highest supported digest algorith where applicable. How does all this sound? -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-dev/-/sAcsq9Zd6GUJ. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
