Issue #5529 has been updated by James Turnbull.

Status changed from Accepted to Needs Decision
Assignee set to Nigel Kersten
Target version set to Telly
Affected Puppet version set to 2.7.3

Nigel - can you ensure it gets reflected in the Telly Roadmap please and 
updated.
----------------------------------------
Feature #5529: Allow configuration of SSL ciphers
https://projects.puppetlabs.com/issues/5529

Author: Davíð Geirsson
Status: Needs Decision
Priority: Normal
Assignee: Nigel Kersten
Category: SSL
Target version: Telly
Affected Puppet version: 2.7.3
Keywords: SSL ciphers encryption encrypt weak configuration
Branch: 


We run puppet in a secure environment. One of the policies in place states that 
no weak ciphers (key length < 128 bit) are allowed anywhere.

Our puppetmasterd got flagged by a review recently as it allows such ciphers on 
incoming connections. I temporarily worked around it with this horrible hack in 
/usr/lib/ruby/1.8/webrick/ssl.rb:

      ctx.verify_callback = config[:SSLVerifyCallback]
      ctx.timeout = config[:SSLTimeout]
      ctx.options = config[:SSLOptions]
+      ctx.ciphers = "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!kEDH"
      ctx


It'd be really nice if puppet allowed the user to specify the SSL cipher string 
in a config somewhere. I started to look into a proper patch for this but 
puppet has changed so much since the version we are running I'd essentially be 
creating two patches.

Hopefully by the time we finally get around to upgrading to the latest we'll be 
able to specify this in the config. ;)


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to