Puppet uses application-level authentication, not server-level, so a client certificate is not required to connect to the server.
Some details about this are documented at https://docs.puppet.com/puppet/5.0/config_file_auth.html and https://docs.puppet.com/puppetserver/5.0/config_file_auth.html. It's primarily required for the client certificate bootstrap process, whereby a client: sends a certificate signing request (CSR), an authorized user signs the certificate, and the client retrieves that signed certificate. On Mon, Jul 24, 2017 at 7:26 AM nan meng <meng.nan58...@gmail.com> wrote: > 1. Version: > > Puppet: 4.10.4 > > Puppet server: 2.7.2 > > Puppet Agent: I do not use agent to do test. > > OS: Ubuntu 64-desktop 16.04 > > Openssl: 1.0.2g > > 2. There is not any none default configuration. > > 3. Test command: openssl s_client -connect puppet:8140 ##puppet is the > hostname of master. > > 4. There is not log from puppet, that is why I capture packet. > > 5. Use wireshark, Menu->Analyze->Decode As, TCP, choose SSL, the result > is decode as SSL. > > > In No. 12, We can see that client send hand shake message with > Certificate field, but it is empty. > > And then in the No. 15, we can see that hand shake is success. > > > > I think it is bug, that an faked agent can connect to server without > certification. > > > > It difficult to insert picture, so please see the attachment. > > 在 2017年7月18日星期二 UTC+8下午11:36:17,nan meng写道: > >> Hi all, >> >> I have tested puppet with version 4.1 and 2.x, found that if an agent >> connect master without certification, the connection still can be >> established. >> I think it is not reasonable. Because if agent connect with an wrong >> certification the connection will be refused. >> >> Does anyone know how to fix it? >> >> the attachment is packet captured using tcpdump. It can prove what I have >> said. >> >> Best Regards, >> >> Nan Meng >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/ec9fc782-c78b-4ddf-ab24-a914ac999462%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/ec9fc782-c78b-4ddf-ab24-a914ac999462%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CABy1mMK-v-0xC3y%3D7Ng4E%2BQjzjPeSGpGH7AGv5aXSOpDZ46mag%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
