Issue #5529 has been updated by Davíð Geirsson.
IMHO it would be best to allow the user to set the OpenSSL cipher suite spec directly. This is the configuration method used by most software, including apache: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite Following a suggestion by Jeff McCune, we've decided to use apache as a frontend server for puppet (which is probably a more sane solution for production than webRICK). So for us this issue is not so critical anymore. ---------------------------------------- Feature #5529: Allow configuration of SSL ciphers https://projects.puppetlabs.com/issues/5529 Author: Davíð Geirsson Status: Needs design decision Priority: Normal Assignee: Nigel Kersten Category: SSL Target version: Affected Puppet version: Keywords: SSL ciphers encryption encrypt weak configuration Branch: We run puppet in a secure environment. One of the policies in place states that no weak ciphers (key length < 128 bit) are allowed anywhere. Our puppetmasterd got flagged by a review recently as it allows such ciphers on incoming connections. I temporarily worked around it with this horrible hack in /usr/lib/ruby/1.8/webrick/ssl.rb: ctx.verify_callback = config[:SSLVerifyCallback] ctx.timeout = config[:SSLTimeout] ctx.options = config[:SSLOptions] + ctx.ciphers = "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!kEDH" ctx It'd be really nice if puppet allowed the user to specify the SSL cipher string in a config somewhere. I started to look into a proper patch for this but puppet has changed so much since the version we are running I'd essentially be creating two patches. Hopefully by the time we finally get around to upgrading to the latest we'll be able to specify this in the config. ;) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
