> Ah. I was thinking in the broader scope of getting us away from
> insecure hashes elsewhere in the product. From a strictly certificate
> POV, indeed, it should be just fine.
I'm trying to configure FIPS-compliant servers, and I've run into segfaults
thrown by the Ruby interpreter when Puppet tries to use MD5. I think this is a
problem somewhere else in my system, not Puppet, but it highlights the issue
that I need Puppet to be able to use other hashing algorithms in its system
configuration work, not merely in its certificates.
I've got an internal patch that replaces Digest::MD5 with Digest::SHA2 in
puppet/util/checksums.rb and in puppet/parser/functions/md5.rb, but this method
lacks finesse. The DSL function is still called md5, and the string
representation of a file still starts with '{md5}' even though the rest is an
SHA256 sum.
It appears that puppet/util/checksums.rb was a start at adding hash algorithm
flexibility, but the '{md5}' is added on elsewhere.
Has someone else already done things about this?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
