Issue #19151 has been updated by Matthaus Owens. Private changed from Yes to No
---------------------------------------- Bug #19151: Reject SSLv2 https://projects.puppetlabs.com/issues/19151#change-86949 Author: Josh Cooper Status: Closed Priority: Normal Assignee: Category: Target version: 3.1.1 Affected Puppet version: 0.24.0 Keywords: security Branch: Puppet accepts SSLv2, which is an insecure protocol. For this to happen, OpenSSL needs to be configured to explicitly disable SSLv2 when creating new SSL connection objects. This affects puppet's http connection code, and anywhere that open-uri is used, which includes the module tool and some providers in core. Ideally, puppet's SSL protocol and acceptable ciphersuites should have secure defaults, but be configurable. For example, we should probably not accept any "Low" ciphersuites, like EXP-RC4-MD5, and it should be possible to require TLS, but reject SSLv2 and v3. Some background from a recent topic on tech: <pre> This is what I was going by (on page 205: http://www.dsd.gov.au/publications/Information_Security_Manual_2012_Controls.pdf?&updatedNov12) Using Secure Sockets Layer and Transport Layer Security Version 1.0 of SSL was never released and version 2.0 had significant security flaws leading to the development of SSL 3.0. SSL has since been superseded by TLS, with the latest version being TLS 1.2 which was released in August 2008. Control: 0482; Revision: 3; Updated: Sep-12; Applicability: G, P, C, S, TS; Compliance: must not; Authority: AH Agencies must not use versions of SSL prior to version 3.0. Control: 1139; Revision: 1; Updated: Sep-11; Applicability: G, P, C, S, TS; Compliance: should; Authority: AA Agencies should use the current version of TLS instead of SSL. </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
