Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cipher suites #721

Merged
merged 1 commit into from
Jan 21, 2020
Merged

Update cipher suites #721

merged 1 commit into from
Jan 21, 2020

Conversation

mmoll
Copy link
Contributor

@mmoll mmoll commented Jan 15, 2020

This change is needed as puppetlabs is allowing only (non ?)-DH ciphers in puppetdb6, which in turn causes connectivity failures between puppet server and puppetdb if no common cipher is found. Unfortunately, changing the puppet server ciphers is not enough, setting the puppetdb ciphers is also necessary to make sure all communications are ok - this was added in the README in the puppetdb integration section as this change has to be done outside this module.

Fixes GH-714

@fschaer @mmoll
Update cipher suites
f940dca 
This change is needed as puppetlabs is allowing only (non ?)-DH ciphers in puppetdb6, which in turn causes connectivity failures between puppet server and puppetdb if no common cipher is found. Unfortunately, changing the puppet server ciphers is not enough, setting the puppetdb ciphers is also necessary to make sure all communications are ok - this was added in the README in the puppetdb integration section as this change has to be done outside this module.

Fixes GH-714
@mmoll mmoll mentioned this pull request Jan 15, 2020
Closed
@mmoll
Copy link
Contributor Author

mmoll commented Jan 15, 2020

@fschaer @noqqe could you check this?

@fschaer
Copy link
Contributor

fschaer commented Jan 21, 2020

Cant test for now cause I have to re-install a dev puppetdb, will try asap.
But from what I remember, the RSA keys were the only ones that I found to be working with puppetdb

ekohl
ekohl approved these changes Jan 21, 2020
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CBC ciphers are indeed no longer considered secure. Probably why PuppetDB dropped them. This list looks like a good current standard.

@ekohl ekohl merged commit 8cc4e30 into theforeman:master Jan 21, 2020
@ekohl
Copy link
Member

ekohl commented Jan 21, 2020

@mmoll not entirely sure this is backwards incompatible, but I always consider changing defaults a good reason. Let me know if you disagree.

@mmoll mmoll deleted the tls branch January 21, 2020 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
Backwards incompatible Needs testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

puppetserver cipher suites must be upgraded
4 participants
@mmoll @fschaer @ekohl @theforeman-bot