Issue #5529 has been updated by Jason Smith.
Our Cyber Security group uses Nessus for internal network scans and recently all of our puppet client hosts started getting flagged because of SSL issues on our puppet daemons. In addition to the weak ciphers and compression (CRIME attack) vulnerabilities that were already mentioned above, they also flagged CVE-2011-1473 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473), which is a renegotiation DoS attack (may only affect older OSes with old SSL versions). We are also using apache on the master so are unaffected there, but it would be nice if we could configure SSL on the puppet client to resolve these issues since we only have one master but hundreds of client hosts. ---------------------------------------- Feature #5529: Allow configuration of SSL ciphers https://projects.puppetlabs.com/issues/5529#change-90295 * Author: Davíð Geirsson * Status: Accepted * Priority: Normal * Assignee: * Category: SSL * Target version: 3.x * Affected Puppet version: 2.7.3 * Keywords: SSL ciphers encryption encrypt weak configuration * Branch: ---------------------------------------- We run puppet in a secure environment. One of the policies in place states that no weak ciphers (key length < 128 bit) are allowed anywhere. Our puppetmasterd got flagged by a review recently as it allows such ciphers on incoming connections. I temporarily worked around it with this horrible hack in /usr/lib/ruby/1.8/webrick/ssl.rb: ctx.verify_callback = config[:SSLVerifyCallback] ctx.timeout = config[:SSLTimeout] ctx.options = config[:SSLOptions] + ctx.ciphers = "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!kEDH" ctx It'd be really nice if puppet allowed the user to specify the SSL cipher string in a config somewhere. I started to look into a proper patch for this but puppet has changed so much since the version we are running I'd essentially be creating two patches. Hopefully by the time we finally get around to upgrading to the latest we'll be able to specify this in the config. ;) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
