Puppet SSL Ciphers

[Douglas Garstang]

We're currently going through a PCI audit process, and an internal scan by an auditor of our network came up with the following advisory on port 8139 on all of our puppet servers. 

Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf configuration files:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Obviously, it's a canned response assuming that a web server is listening on that port. Is there any way to disable the 'weak and medium ciphers' on the default webrick server?

Doug.

[Nigel Kersten]

We actually had a feature request in about this recently that
shouldn't be too hard to find if you do a search. More people caring
about this will lead us to prioritize it more, however...

You really should move away from Webrick for production for several
reasons, including this one. It's not suggested for production use.

If you move to Mongrel or Passenger with Apache, our two most common
deployment methods, you can fully specify the strong ciphers.

> Doug.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>

[Russ Allbery]

Nigel Kersten <ni...@puppetlabs.com> writes:

> We actually had a feature request in about this recently that shouldn't
> be too hard to find if you do a search. More people caring about this
> will lead us to prioritize it more, however...

> You really should move away from Webrick for production for several
> reasons, including this one. It's not suggested for production use.

Webrick is very nice for the Puppet CA if one wants to run it on a
separate system that doesn't otherwise need a full web server. It allows
the CA to run as a nicely stand-alone service, and the CA is not
particularly performance-critical and doesn't suffer from the performance
issues of Webrick.

--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>

[Douglas Garstang]

On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com> wrote:

On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang
<doug.g...@gmail.com> wrote:
> We're currently going through a PCI audit process, and an internal scan by
> an auditor of our network came up with the following advisory on port 8139
> on all of our puppet servers.
> Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf
> configuration files:
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> Obviously, it's a canned response assuming that a web server is listening on
> that port. Is there any way to disable the 'weak and medium ciphers' on the
> default webrick server?

We actually had a feature request in about this recently that
shouldn't be too hard to find if you do a search. More people caring
about this will lead us to prioritize it more, however...

You really should move away from Webrick for production for several
reasons, including this one. It's not suggested for production use.

If you move to Mongrel or Passenger with Apache, our two most common
deployment methods, you can fully specify the strong ciphers.

Nigel,

Well, I can go back and give Passenger another shot, but I didn't pursue it originally because I wasn't able to get the perfect combination of ruby, rack etc etc to make it work. It involves a lot of magic voodoo. Passenger is also installed from ruby gems which, as an ops person, makes my skin crawl.

Also... I'm not sure if I understand this issue correctly, but the client itself runs the WEBrick server, correct? What is this for? Is this to allow puppetrun to be run from the server? If that's the case, I would also have to move every client to Passenger or Mongrel was well. I'm not sure about Mongrel, but that means a rather complicated update on the clients, given passengers voodoo install magic.

Doug.

 

[Trevor Vaughan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Neither Passenger, nor Mongrel, are that difficult to set up behind
Apache but I will say that the Passenger instructions are quite user
friendly.

I attempted to provide the capability to modify the cipher sets in
Puppet for my own interest, but this is actually a limitation in the
Webrick codebase itself and I wasn't quite up to modifying the Ruby guts
when an Apache front-end was so simple to accomplish.

That said, you could also use Webrick behind an Apache front end and it
*should* work in passthrough mode but I haven't tested it since
Passenger and Mongrel were so straightforward.

Additionally, several distributions have both Passenger and Mongrel
available as native package from various repositories and they are both
relatively easy to package yourself.

Good luck!

Trevor

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.

- --
Trevor Vaughan
Vice President, Onyx Point, Inc.
email: tvau...@onyxpoint.com
phone: 410-541-ONYX (6699)
pgp: 0x6C701E94

- -- This account not approved for unencrypted sensitive information --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJNErcrAAoJECNCGV1OLcypjEQIAIARU754ebOWL96ewjP0C92v
PD0vOW8YJFyx2C5ODbJesb0Mr8Y7cXFE5QeKca1N4q/bPlGTouumdGCJlv1cF2WY
C99UB24TFvfeD0CqKtQUVDYNYUwyz+e1juZ+nPtBAvIq8pA+oMbmV7P3NSQSftJl
pxR6M2syMi5Oq9YF4MAKGq1lH9WA7Df8y9kaAjbnP9QKWAGnVwOqFhuBlUcuvmjC
h7kXY65//nub2V97KWBTkVE6ZG28geuXThunjb3zrYsyZro43FjZ3b9DU0A9DkAI
Go7z3rzO4x68CczmXzVbCza46xUceXs846Ldb5oGFNI8JgClDXMG5/imyD1rbMQ=
=3tO9
-----END PGP SIGNATURE-----

[Nigel Kersten]

That's actually a good point.

Are you running the puppet agent in daemon mode or scheduled out of cron?

[Douglas Garstang]

I'm running the puppet agent as a daemon.

But... I'm still not quite following what has to happen on the clients. Are we saying that I have to replace the webrick server on the clients with Passenger? That's a pretty heavy handed approach. This means that all the clients have to be running Apache.....

Doug.

 

[Patrick]

My understanding is that the client doesn't even use Webrick unless you use "listen=true".

[Trevor Vaughan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is correct.

A simple way around this is to set up a single use ssh key that only
runs the puppetd -t command (or whatever equivalent you like).

I personally prefer to run puppetd out of cron so that it doesn't take
up any resources unless it needs to run.

Trevor

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.

- --

Trevor Vaughan
Vice President, Onyx Point, Inc.
email: tvau...@onyxpoint.com
phone: 410-541-ONYX (6699)
pgp: 0x6C701E94

- -- This account not approved for unencrypted sensitive information --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJNE/ZDAAoJECNCGV1OLcypJmMIAKzQQSHNX5H01nx7fSYGxvpw
lQUw49+mdKYP/EhzKLf2fgD+POrOZGsw9QvBPkwcdoHQJPX4ywx2iWMZ1tvgIQCw
928udnSg+KxdHQs8JfwfvIExc82W3LvnNciD9/Nt/7qExzT0cHlWMh42vYG0sOpp
bFyblwKHo8fiExwTjpaer6fQmh99GsR6COHTrTHi6+7leFUcpjLG9KXAX3Lyan3A
PiQ9vQUvg/JxYODK9kMVDG420z2pn2LAl+Y8ZUaYScEnqKdWSHp7M54nOu5VZpRV
XeUTKw3bSwQVcLFDPdAX5RIURqNYimmHFjVVsOeOwPu+4KzVx79wK102vb+BfBo=
=gMq2
-----END PGP SIGNATURE-----

[Douglas Garstang]

Right... I do have listen=true on the clients because I want to be able to trigger puppet to run on a number of hosts centrally with puppetrun. If I set listen != true, I can't do this. Also... if puppet is running from cron, you can't do that either. Replacing webrick with passenger isn't really feasible since passenger isn't available as a nice simple RPM for CentOS 5.5, and I don't know what magic the gems do under the covers in order to build my own passenger RPM. I would also then need to have apache running on every single client.

Doug

[Ohad Levy]

open that port only to your puppetmaster (or wher ever you are "kicking" from)?

Ohad

[Ohad Levy]

On Fri, Dec 24, 2010 at 7:42 AM, Douglas Garstang <doug.g...@gmail.com> wrote:

Right... I do have listen=true on the clients because I want to be able to trigger puppet to run on a number of hosts centrally with puppetrun. If I set listen != true, I can't do this. Also... if puppet is running from cron, you can't do that either. Replacing webrick with passenger isn't really feasible since passenger isn't available as a nice simple RPM for CentOS 5.5, and I don't know what magic the gems do under the covers in order to build my own passenger RPM. I would also then need to have apache running on every single client.

btw: thats not accurate, you can use the puppetlisten/puppetrun from the ext [1] directory, which stand as its on service, but doesnt use webrick (and use as many system resources as puppet).

Ohad 

[1] - https://github.com/puppetlabs/puppet/tree/master/ext/puppetlisten

[Nigel Kersten]

No, that's not what I'm saying. I'm saying we've traditionally said
that using Apache with a backend resolves this for the server, but
that we've failed to consider the agent on a node in listen mode.

http://projects.puppetlabs.com/issues/5529

We didn't actually consider the listen mode of the node agent in that
bug. I've updated it and bumped the priority.

It's not reasonable for all your nodes to be running Apache. We have
some workarounds in this thread, but we should have first class
support for avoiding weak ciphers on the node when running in listen
mode.

Anyone who cares about this issue, please watch or vote that bug above
so we can prioritize accordingly.