Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

puppetserver cipher suites must be upgraded #714

Closed
fschaer opened this issue Nov 22, 2019 · 2 comments · Fixed by #721
Closed

puppetserver cipher suites must be upgraded #714

fschaer opened this issue Nov 22, 2019 · 2 comments · Fixed by #721
Labels
skip-changelog

Comments

@fschaer
Copy link
Contributor

fschaer commented Nov 22, 2019

Hi,

I got a very hard time upgrading my puppetdb from 5.2 to 6.7.3-1.

According to documentation, if not specified, puppetdb will use "only non-DHE ciphers".
See : https://puppet.com/docs/puppetdb/latest/configure.html#cipher-suites

When starting in debug mode, I found that it in fact only accepts these keys on CentOS 7.7.1908 + jdk 1.8 :

2019-11-22T14:59:01.924+01:00 DEBUG [o.e.j.u.s.SslContextFactory] Selected Ciphers [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] of [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

So in fact only TLS_DHE and TLS_ECDH keys are selected (everything before the " of ".

Thing is : the foreman module only configures the following keys by default :

[ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA' ]

This leads to cryptic javax.net.ssl.SSLException: Received fatal alert: handshake_failure and Puppet Error connecting to XXX on 8081 at route /pdb/cmd/v1?checksum errors in puppetserver logs, and to no ciphers in common errors in puppetdb logs (debug mode for htttp connexions). And this breaks puppet(db)6 upgrades.

To keep compatibility, I'd suggest defaulting to a combination of the old and some new keys, possibly (not sure if the order matters) :

[ 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' ]

Changing the puppetserver (v6) cipher suites manually restores puppetdb connection after a puppetserver restart.

Regards
@ekohl
Copy link
Member

ekohl commented Nov 22, 2019

I agree they're a bit outdated now. Could you come up with a PR that includes your suggestion?

@fschaer
Copy link
Contributor Author

fschaer commented Nov 22, 2019

Just re-tested to make sure, and found out that it's not even sufficient to upgrade the puppetserver ciphers... damn. puppetdb 6.7 cipher-suites must also be specified to allow the same and current keys, otherwise some (not all) puppetdb queries still fail (?? uh ??)

Only the /pdb/cmd/v1?checksum queries fail.. definitely not a "yum update" as stated in puppetlabs docs ;)

I'll create try to create a PR a.s.a.p, I'm just unsure where the puppetdb changes should go, as the puppetdb is the puppetlabs... I'll check.

Regards

@fschaer fschaer mentioned this issue Dec 3, 2019
Closed
@mmoll mmoll mentioned this issue Jan 15, 2020
Merged
ekohl pushed a commit that referenced this issue Jan 21, 2020
@fschaer @ekohl
Update cipher suites
8cc4e30 
This change is needed as puppetlabs is allowing only (non ?)-DH ciphers in puppetdb6, which in turn causes connectivity failures between puppet server and puppetdb if no common cipher is found. Unfortunately, changing the puppet server ciphers is not enough, setting the puppetdb ciphers is also necessary to make sure all communications are ok - this was added in the README in the puppetdb integration section as this change has to be done outside this module.

Fixes GH-714
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
skip-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update cipher suites
Update cipher suites
2 participants
@ekohl @fschaer