Emergency Certificate Revocation Procedure
89 views
Skip to first unread message
Tom
Apr 8, 2014, 3:57:35 AM4/8/14
to puppet...@googlegroups.com
Hi,
In light of the recently publicised vulnerability in OpenSSL versions provided on RHEL6/CentOS6 http://heartbleed.com/, do you have any recommendations on a procedure to regenerate new master certificates and then revoke, clean and re-sign all client SSL certificates?
I think it'd be great in my organisation to have a bullet proof procedure for the future, as well as getting around this currently problem.
Thanks for any assistance.
Tom.
In light of the recently publicised vulnerability in OpenSSL versions provided on RHEL6/CentOS6 http://heartbleed.com/, do you have any recommendations on a procedure to regenerate new master certificates and then revoke, clean and re-sign all client SSL certificates?
I think it'd be great in my organisation to have a bullet proof procedure for the future, as well as getting around this currently problem.
Thanks for any assistance.
Tom.
Nan Liu
Apr 8, 2014, 10:01:34 AM4/8/14
to puppet...@googlegroups.com
Puppet Labs had a CVE around a puppet master certificate issue. It only replaces the master cert, but from what I recall a module automates this step. You can see if the remediation tool kit is still suitable for this purpose:
http://puppetlabs.com/security/cve/cve-2011-3872
http://puppetlabs.com/security/cve/cve-2011-3872
Matthew Burgess
Apr 8, 2014, 3:43:03 PM4/8/14
to puppet...@googlegroups.com
On 8 Apr 2014 09:29, "Tom" <t...@t0mb.net> wrote:
>
> Hi,
>
> In light of the recently publicised vulnerability in OpenSSL versions provided on RHEL6/CentOS6 http://heartbleed.com/, do you have any recommendations on a procedure to regenerate new master certificates and then revoke, clean and re-sign all client SSL certificates?
Whilst I can't offer any direct answer to your question, and agree that it's a generally useful thing to have in the toolbox, I'm slightly inquisitive as to why you feel that action is necessary for this vulnerability. Is your Puppet Master accessible publically via the Internet and if so, why is that? If it isn't directly accessible via the Internet who/what is it that you think could have exploited the vulnerability?
Thanks,
Matt
David Schmitt
Apr 9, 2014, 1:56:18 AM4/9/14
to puppet...@googlegroups.com
On 2014-04-08 21:43, Matthew Burgess wrote:
> that
> its a generally useful thing to have in the toolbox, Im slightly
internal network cannot be assured, then "internal-only access" is not
save either.
In my experience any VLAN that leaves a locked down rack cage - or any
rack cage with more than a single person having access (including
maintenance and facility management personnel) cannot rely on physical
security alone.
Regards, David
> On 8 Apr 2014 09:29, "Tom" <t...@t0mb.net [1]> wrote:
> >
> > Hi,
> >
> > In light of the recently publicised vulnerability in OpenSSL
> versions provided on RHEL6/CentOS6 http://heartbleed.com/ [2], do you
> >
> > Hi,
> >
> > In light of the recently publicised vulnerability in OpenSSL
> have any recommendations on a procedure to regenerate new master
> certificates and then revoke, clean and re-sign all client SSL
> certificates?
>
> Whilst I cant offer any direct answer to your question, and agree
> certificates and then revoke, clean and re-sign all client SSL
> certificates?
>
> that
> its a generally useful thing to have in the toolbox, Im slightly
> inquisitive as to why you feel that action is necessary for this
> vulnerability. Is your Puppet Master accessible publically via the
> Internet and if so, why is that? If it isnt directly accessible via
> vulnerability. Is your Puppet Master accessible publically via the
> the Internet who/what is it that you think could have exploited the
> vulnerability?
When the organisation is big enough that physical security of the
> vulnerability?
internal network cannot be assured, then "internal-only access" is not
save either.
In my experience any VLAN that leaves a locked down rack cage - or any
rack cage with more than a single person having access (including
maintenance and facility management personnel) cannot rely on physical
security alone.
Regards, David
Tom
Apr 9, 2014, 3:34:04 AM4/9/14
to puppet...@googlegroups.com
Hi Matthew,
Use your imagination. Puppet is not directly accessible to the internet, but there are puppet clients which are. Shared web servers, mail servers etc. I'm paid to be paranoid..
Thanks. Tom.
Use your imagination. Puppet is not directly accessible to the internet, but there are puppet clients which are. Shared web servers, mail servers etc. I'm paid to be paranoid..
Thanks. Tom.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BNsfq3%2Batkib6WQ%3DaHNRtXPVbkZh7P6EDoktYD6%2B_HUQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Tom
Apr 9, 2014, 3:30:37 AM4/9/14
to puppet...@googlegroups.com
Thank you Nan,
It looks like Puppet Labs have recognised the importance of this, and I guess this thread should defer to the guidance that Eric Sorenson just posted to the list!
Thank you for your help!
Tom.
It looks like Puppet Labs have recognised the importance of this, and I guess this thread should defer to the guidance that Eric Sorenson just posted to the list!
Thank you for your help!
Tom.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACqVBqBqqpU5LKQGztVmzdEjcZBiaZ1B7Rjg8nPcm4AMuYi73g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages