On Wed, May 25, 2011 at 10:23, Jennings, Jared L CTR USAF AFMC 46
SK/CCI <jared.jennings....@eglin.af.mil> wrote:
>> Ah. I was thinking in the broader scope of getting us away from
>> insecure hashes elsewhere in the product. From a strictly certificate
>> POV, indeed, it should be just fine.
>
> I'm trying to configure FIPS-compliant servers, and I've run into segfaults
> thrown by the Ruby interpreter when Puppet tries to use MD5. I think this is
> a problem somewhere else in my system, not Puppet, but it highlights the
> issue that I need Puppet to be able to use other hashing algorithms in its
> system configuration work, not merely in its certificates.
O_o At this point I would be pretty worried; that sounds like a nasty
bug, and the worry that it is from some sort of memory corruption that
is going to be making a mess of other things along the way. That
said, I agree that being able to use a different digest would be
great.
> I've got an internal patch that replaces Digest::MD5 with Digest::SHA2 in
> puppet/util/checksums.rb and in puppet/parser/functions/md5.rb, but this
> method lacks finesse. The DSL function is still called md5, and the string
> representation of a file still starts with '{md5}' even though the rest is an
> SHA256 sum.
Yeah. You will also hit troubles if you don't have a uniformly
patched solution out there, or even if...
> It appears that puppet/util/checksums.rb was a start at adding hash algorithm
> flexibility, but the '{md5}' is added on elsewhere.
...you fixed this, and you needed to run against unpatched clients.
We don't generically match the checksum at all, so that assumption is
going to be baked into a whole bunch of places.
> Has someone else already done things about this?
Not that we are aware of. If you delivered support for configuring
that through the product, though, we would almost certainly support it
without any other compatibility support. (As in, I think it has value
in that form alone, even though we want to support multiple hashes,
etc.)
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
