(PUP-3176) Sign CSR with best digest available #3046
Conversation
|
CLA signed by all contributors. |
|
|
||
| raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for #{name} on the server" unless csr.verify(key.public_key) | ||
|
|
||
| @content = csr | ||
| Puppet.info "Certificate Request fingerprint (md5): #{fingerprint}" | ||
| Puppet.info "Certificate Request fingerprint (#{md.to_s}): #{fingerprint(md = md)}" |
|
@stbenjam thank you for your contribution. Unfortunately, 2.7.x has been EOL for some time now. See https://groups.google.com/d/msg/puppet-users/8JEy7wY5VPs/9N07fgfU1mAJ for the original announcement. @skottler has been maintaining the 2.7.x branch, but recently annouced this will end Sept 30 (see https://groups.google.com/d/msg/puppet-users/QLguMcLraLE/h6Yi8iXPUtYJ). I defer to him about whether to accept this patch given the limited window. Btw, we modified puppet to no longer use MD5 in https://projects.puppetlabs.com/issues/13435 (released in 3.0) and allowed the digest algorithm to be configurable in https://tickets.puppetlabs.com/browse/PUP-1840 (released in 3.6.0). I recommend upgrading to a later version of puppet. |
|
Thanks for looking. I'd love to get rid of 2.7, but that presents some challenges for el5 users (and el5 still has some life left in it, unfortunately). This is the last release that supports ruby 1.8.5, and replacing the system ruby isn't an option for some users. It has to die at some point, of course, but I think this is probably a worthwhile last change. Hope this can get accepted. @skottler Do you know what the future of puppet in EPEL5 is going to be? |
|
@stbenjam I bumped it from 2.6 to 2.7 around 6 months ago, so at least EPEL5 and EPEL6 are both on 2.7. I'm happy to accept some form of this patch in the 2.7 tree and do a final release since reducing the numbers of downstream patches is ideal IMO. The one issue that would prevent doing a 2.7.27 release is the condition I have setup with the Puppet Labs team, which is that we'll only do releases for security issues because of the time required of @stahnma's team to handle releases. It's possible that there would be an exception made in this case since it's the last release in the series, but I'll defer that decision to PL folks. tl;dr I'm happy to take the patch (need to do a review and all that jazz first), but only if it can get released before the end of September. |
|
@skottler Great, thanks. I would say this could also be a security issue, defaulting to md5 when better digests are available, but I realize it's not exactly high-priority given the age of 2.7. Just as a background for anyone that didn't see the original issue in the tracker, RHEL 7, and basically any newer version of OpenSSL is going to refuse to sign an MD5-signed CSR. |
|
According to https://groups.google.com/forum/#!msg/puppet-users/QLguMcLraLE/h6Yi8iXPUtYJ Puppet 2.7.x hit EOL yesterday. |
|
@adrienthebo Yup, thanks, I closed the issue and this PR. 2.7 is dead, long live 2.7! We'll carry this patch ourselves 👎 Thanks anyway! |
No description provided.