[Pkg-puppet-devel] Bug#620739: puppet - Not longer secure key and hash defaults

Bastian Blank waldi at debian.org
Sun Apr 3 18:41:38 UTC 2011

Source: puppet
Version: 2.6.2-4
Severity: important

puppet have the following defaults for the CA:
- Key length: 1024 bits
- Hash: MD5.

MD5 is broken in the meantime and 1024 bits keylength is not longer
considered safe.

The german BSI[1] produces a yearly document[2] that defines which
algorithms should be save for usage over the next five years. This
document rules out MD5, SHA-1 and RIPEMD-160 for hashing and key
sizes < 1976 bits for RSA keys right now.

Please update the default settings to something save for the time of the
default TTL (five years).


[1]: Bundesamt für Sicherheit in der Informationstechnik[3]
[2]: http://www.bundesnetzagentur.de/cae/servlet/contentblob/192414/publicationFile/10008/2011AlgoKatpdf.pdf
[3]: https://www.bsi.bund.de/DE/Home/home_node.html
Our missions are peaceful -- not for conquest.  When we do battle, it
is only because we have no choice.
		-- Kirk, "The Squire of Gothos", stardate 2124.5

More information about the Pkg-puppet-devel mailing list