Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2420

CRLs should be signed with SHA256 when available

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Normal
          • Resolution: Duplicate
          • Affects Version/s: None
          • Fix Version/s: None
          • Component/s: None
          • Labels:
            None
          • Template:
          • Team:
            Platform Core
          • Story Points:
            1

            Description

            Certificate revocation lists are always signed with SHA1WithRSAEncryption, but when signing certificate signing requests and certificates, we default to SHA256WithRSAEncryption. If SHA256 is not available, we fall back to SHA1WithRSAEncryption.

            We should refactor the CRL code to use the CertificateSigner code so that we use more secure defaults.

              Attachments

                Issue Links

                is duplicated by

                Bug - A problem which impairs or prevents the functions of the product. PUP-7957 Puppet uses SHA1 when revoking certificates

                • Major - Major loss of function.
                • Closed
                relates to

                New Feature - A new feature of the product, which has yet to be developed. PUP-1840 Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                  Activity

                    People

                    • Assignee:
                      Unassigned
                      Reporter:
                      josh Josh Cooper
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      2 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Zendesk Support