[PUP-2420] CRLs should be signed with SHA256 when available - Puppet Tickets

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Template:
customfield_10700 33945
Team:
Platform Core
Story Points:
1

Description

Certificate revocation lists are always signed with SHA1WithRSAEncryption, but when signing certificate signing requests and certificates, we default to SHA256WithRSAEncryption. If SHA256 is not available, we fall back to SHA1WithRSAEncryption.

We should refactor the CRL code to use the CertificateSigner code so that we use more secure defaults.

Attachments

Issue Links

is duplicated by

PUP-7957 Puppet uses SHA1 when revoking certificates

Closed

relates to

PUP-1840 Let user change hashing algorithm, to avoid crashing on FIPS-compliant hosts

Closed

Activity

jsd-sla-details-panel

People

Assignee:

Unassigned

Reporter:

Josh Cooper

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2014/05/01 11:49 AM

Updated:

2018/02/06 1:42 PM

Resolved:

2017/09/25 9:53 AM