Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2606

Support ECC keys

    XMLWordPrintable

Details

    • New Feature
    • Hide
      An agent may be configured to use elliptic curve (EC) private keys using the `key_type=ec` puppet setting. By default, puppet will use the `prime256v1` elliptic curve, but an alternate curve may be specified using the `named_curve` puppet setting, provided ruby and openssl support it. See OpenSSL::PKey::EC.builtin_curves for a list of supported curves. Note the `key_type` and `named_curve` settings are ignored if the agent already has a private key. Also the settings only control the type of private key that the agent generates. It does not affect which curve is selected in the TLS protocol.
      Show
      An agent may be configured to use elliptic curve (EC) private keys using the `key_type=ec` puppet setting. By default, puppet will use the `prime256v1` elliptic curve, but an alternate curve may be specified using the `named_curve` puppet setting, provided ruby and openssl support it. See OpenSSL::PKey::EC.builtin_curves for a list of supported curves. Note the `key_type` and `named_curve` settings are ignored if the agent already has a private key. Also the settings only control the type of private key that the agent generates. It does not affect which curve is selected in the TLS protocol.

    Description

      Right now Puppet is hard coded to only use RSA keys when dealing with certificates. RSA is getting a little long in the tooth, and although it has not been compromised, there are newer algorithms that are not as susceptible to attacks that have been developed.

      OpenSSL supports ECC in addition to RSA. Puppet should become configurable to be able to use ECC for generating keys. This feature should be configurable since not all OpenSSL releases that puppet may be used on are going to have this available.

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. PDB-179 Ensure we support ECC for SSL certificates

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          [Puppet Labs Redmine] Redmine (#22195) Ensure we support ECC for SSL certificates

          clones

          [Puppet Labs Redmine] Redmine (#22200) Support ECC keys

          Activity

            People

              josh Josh Cooper
              redmine.exporter redmine.exporter
              Erik Dasher Erik Dasher
              Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support