Puppet uses application-level authentication, not server-level, so a client certificate is not required to connect to the server.
Some details about this are documented at https://docs.puppet.com/puppet/5.0/config_file_auth.html and https://docs.puppet.com/puppetserver/5.0/config_file_auth.html. It's primarily required for the client certificate bootstrap process, whereby a client: sends a certificate signing request (CSR), an authorized user signs the certificate, and the client retrieves that signed certificate. On Mon, Jul 24, 2017 at 7:26 AM nan meng <[email protected]> wrote: > 1. Version: > > Puppet: 4.10.4 > > Puppet server: 2.7.2 > > Puppet Agent: I do not use agent to do test. > > OS: Ubuntu 64-desktop 16.04 > > Openssl: 1.0.2g > > 2. There is not any none default configuration. > > 3. Test command: openssl s_client -connect puppet:8140 ##puppet is the > hostname of master. > > 4. There is not log from puppet, that is why I capture packet. > > 5. Use wireshark, Menu->Analyze->Decode As, TCP, choose SSL, the result > is decode as SSL. > > > In No. 12, We can see that client send hand shake message with > Certificate field, but it is empty. > > And then in the No. 15, we can see that hand shake is success. > > > > I think it is bug, that an faked agent can connect to server without > certification. > > > > It difficult to insert picture, so please see the attachment. > > 在 2017年7月18日星期二 UTC+8下午11:36:17,nan meng写道: > >> Hi all, >> >> I have tested puppet with version 4.1 and 2.x, found that if an agent >> connect master without certification, the connection still can be >> established. >> I think it is not reasonable. Because if agent connect with an wrong >> certification the connection will be refused. >> >> Does anyone know how to fix it? >> >> the attachment is packet captured using tcpdump. It can prove what I have >> said. >> >> Best Regards, >> >> Nan Meng >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/ec9fc782-c78b-4ddf-ab24-a914ac999462%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/ec9fc782-c78b-4ddf-ab24-a914ac999462%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CABy1mMK-v-0xC3y%3D7Ng4E%2BQjzjPeSGpGH7AGv5aXSOpDZ46mag%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
