Older Ciphers? Weak Cipher Suites?
44 views
Skip to first unread message
Dan Mahoney
Nov 10, 2020, 2:58:30 AM11/10/20
to Puppet Users
All,
This is probably nothing but I've searched the mailing lists and can't find anything useful about this. We're running our puppetmaster under FreeBSD at the day job (puppet 6.18), and we see errors like this on puppetserver startup in the logs:
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@7beb914b[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
All in all, each warning is repeated several different times, and there's probably seven or eight different ciphers.
Java logging is...a mess, honestly, and it's pretty difficult to separate signal from noise when you're trying to debug something.
That said, I see release notes that something changed about weak ciphers in 6.5, but we're not there yet.
Is this something I should worry about, or just ignore?
Dan Mahoney
Nov 10, 2020, 3:02:04 AM11/10/20
to Puppet Users
To be clear, here's the full list of what's warned about (each of these gets logged six times in succession, which I've deduplicated for brevity *except for the last one* so you can see that there are different addresses being listed).
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@3900153c[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@4f27d2a8[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@5a789c49[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@6593530a[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@71baa8f5[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@7beb914b[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@6593530a[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@71baa8f5[provider=null,keyStore=null,trustStore=null]
WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for InternalSslContextFactory@7beb914b[provider=null,keyStore=null,trustStore=null]
Justin Stoller
Nov 10, 2020, 11:50:36 AM11/10/20
to puppet...@googlegroups.com
We needed to upgrade Jetty but they changed their defaults and started warning about weak ciphers. To avoid breaking folks we added back the ciphers that had been allowed at the start of the 6.x series but that causes a lot of warnings. If you don't have connections that rely on the older ciphers you can remove the weak ciphers from puppetserver's conf.d/webservers.conf and the warnings should go away. Let me know if the release notes for 6.5 don't make sense.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b5ec5090-810b-4bbc-80b4-cab024b20722n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages