Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cipher suites #717

Closed
wants to merge 1 commit into from
Closed

Update cipher suites #717

wants to merge 1 commit into from

Conversation

fschaer
Copy link
Contributor

@fschaer fschaer commented Dec 3, 2019

This change is needed as puppetlabs is allowing only (non ?)-DH ciphers in puppetdb6, which in turn causes connectivity failures between puppet server and puppetdb if no common cipher is found. Unfortunately, changing the puppet server ciphers is not enough, setting the puppetdb ciphers is also necessary to make sure all communications are ok - this was added in the README in the puppetdb integration section as this change has to be done outside this module.

Fixes GH-714

@fschaer
Update cipher suites
7b3415e 
This change is needed as puppetlabs is allowing only (non ?)-DH ciphers in puppetdb6, which in turn causes connectivity failures between puppet server and puppetdb if no common cipher is found. Unfortunately, changing the puppet server ciphers is not enough, setting the puppetdb ciphers is also necessary to make sure all communications are ok - this was added in the README in the puppetdb integration section as this change has to be done outside this module.

Fixes GH-714
@noqqe
Copy link

noqqe commented Dec 17, 2019
edited
Loading

I can reproduce the behavior. PuppetDB >6.7.2 does not support the ciphers that are being configured by the module.

Edit:

Workaround until this PR gets merged:

class { '::puppet':
  [...]
  server_reports              =>  'store',
  server_storeconfigs_backend => 'puppetdb',
  server_cipher_suites        => [
      'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
      'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
      'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
      'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
  ],
}

ekohl
ekohl reviewed Dec 17, 2019
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TLS_RSA ciphers are vulnerable to the ROBOT attack. Should we remove those while we're at it? That's probably also the reason why PuppetDB fails to talk to theforeman-puppet now.

@mmoll
Copy link
Contributor

mmoll commented Jan 15, 2020

-> GH-721

@mmoll mmoll closed this Jan 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl left review comments

Assignees
No one assigned
Labels
Needs testing Not yet reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

puppetserver cipher suites must be upgraded
5 participants
@fschaer @noqqe @mmoll @ekohl @theforeman-bot