[Pkg-puppet-devel] Bug#679765: Bug#679765: puppetmaster - CA prone to MD5 collision attacks

Stig Sandbeck Mathisen ssm at redpill-linpro.com
Fri Jul 6 12:45:38 UTC 2012

The patch at https://github.com/puppetlabs/puppet/pull/616/files changes
the default hash settings from MD5 and SHA1 to SHA256. This should have
no effect on operation (or security) on existing environments.

With an existinc CA, I've tested adding nodes with a patched master and
client, a patched master against unpatched clients, and unpatched
clients against a patched master.

Securing existing puppet environments requires some work.

 * The creation of a new CA certificate.

 * Does the CA need a new key as well?

 * Would existing nodes automatically trust the new CA certificate, if
   it comes from the same key?

In the worst case, an automated upgrade path would be needed for large

For smaller environments, it is possible, but rather tedious, to remove
/var/lib/puppet/ssl/ on master and all nodes, start the master, start
the nodes, and use "puppet cert sign <nodename>" (alternatively "puppet
cert sign --all", or use "/etc/puppet/autosign.conf" if you have a
closed environment)

Stig Sandbeck Mathisen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20120706/851e70aa/attachment.pgp>

More information about the Pkg-puppet-devel mailing list