The patch at https://github.com/puppetlabs/puppet/pull/616/files changes the default hash settings from MD5 and SHA1 to SHA256. This should have no effect on operation (or security) on existing environments.
With an existinc CA, I've tested adding nodes with a patched master and client, a patched master against unpatched clients, and unpatched clients against a patched master. Securing existing puppet environments requires some work. * The creation of a new CA certificate. * Does the CA need a new key as well? * Would existing nodes automatically trust the new CA certificate, if it comes from the same key? In the worst case, an automated upgrade path would be needed for large environments. For smaller environments, it is possible, but rather tedious, to remove /var/lib/puppet/ssl/ on master and all nodes, start the master, start the nodes, and use "puppet cert sign <nodename>" (alternatively "puppet cert sign --all", or use "/etc/puppet/autosign.conf" if you have a closed environment) -- Stig Sandbeck Mathisen
pgpoiwEQZ8YWS.pgp
Description: PGP signature
