Puppet users - Mar 2007 - Changing the SSL Ciphers used between Puppet client and server.

Hello,

Is it possible to specify which of the OpenSSL ciphers to utilize during
client/server communication?

Thank you,

-- Rob --




 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news

_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Mar 19, 2007, at 1:30 PM, Robert Mombro wrote:
> Hello,
>
> Is it possible to specify which of the OpenSSL ciphers to utilize  
> during client/server communication?
>
> Thank you,
>
I don''t believe this is an option in Puppet at this time, but I will  
look into it further and find out for sure.

On Mar 19, 2007, at 1:30 PM, Robert Mombro wrote:
> Hello,
>
> Is it possible to specify which of the OpenSSL ciphers to utilize  
> during client/server communication?
>
> Thank you,
>
> -- Rob --
After reviewing the code, it seems my first assumption was correct;  
We don''t currently support changing the cipher type in on either end  
of the SSL connection.  It appears that webrick has this capability,  
so it is functionality that could potentially be added to Puppet in  
the future, but probably not without some advocacy from the community.

How were you planning to use this functionality, i.e. what problem  
does this solve for you?  Perhaps there''s another approach to the  
problem.  Is this something that''s of major importance to your site?

If you''d like to add this as an enhancement request on our trac site,  
we''ll take it into account when we choose new enhancements to add to  
the new release of Puppet.  If it happened you were extra-industrious  
and sent us a patch to add this functionality to Puppet, we''d  
probably have no problem applying it after a bit of examination.

Here''s where you can add requests to the Puppet project
(you''ll need
to register first):

	< https://reductivelabs.com/cgi-bin/puppet.cgi/newticket >

Benjamin C. Kite wrote:
> On Mar 19, 2007, at 1:30 PM, Robert Mombro wrote:
> 
>> Hello,
>>
>> Is it possible to specify which of the OpenSSL ciphers to utilize  
>> during client/server communication?
>>
>> Thank you,
>>
>> -- Rob --
> 
> After reviewing the code, it seems my first assumption was correct;  
> We don''t currently support changing the cipher type in on either
end
> of the SSL connection.  It appears that webrick has this capability,  
> so it is functionality that could potentially be added to Puppet in  
> the future, but probably not without some advocacy from the community.
I''m not specifically concerned about ciphers, but I am poking pretty 
heavily at webrick.  I''ve been relatively unsuccessful trying to locate
good documentation on the SSL features of webrick related to client 
authentication.

Do you remember where you found the information about webrick''s cipher 
suite? I''m hoping to find some more details on the trusted cert store
to
finish up the details of 
http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities

Cheers,
-- 
Jeff McCune
The Ohio State University
Department of Mathematics
Systems Manager


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

Mr. Kite,

The impetus behind this question is to ensure that the strongest ciphers are
used that are appropriate for a CM tool.  Generally, OpenSSL uses the strongest
match between the server and client cipher set.  Unfortunately, without being
able to explicitly set the ciphers, you may end up with DES due to a bug at some
level.

It isn''t critical as long as the system somehow ensures that it is
using a reasonable cipher set, such as HIGH or MEDIUM, but it would be nice to
actually know what is allowed to be set.

Thank you,

-- Rob --

----- Original Message ----
From: Benjamin C. Kite <ben@reductivelabs.com>
To: Puppet User Discussion <puppet-users@madstop.com>
Sent: Tuesday, March 20, 2007 2:13:17 PM
Subject: Re: [Puppet-users] Changing the SSL Ciphers used between Puppet client
and server.


On Mar 19, 2007, at 1:30 PM, Robert Mombro wrote:
> Hello,
>
> Is it possible to specify which of the OpenSSL ciphers to utilize  
> during client/server communication?
>
> Thank you,
>
> -- Rob --
After reviewing the code, it seems my first assumption was correct;  
We don''t currently support changing the cipher type in on either end  
of the SSL connection.  It appears that webrick has this capability,  
so it is functionality that could potentially be added to Puppet in  
the future, but probably not without some advocacy from the community.

How were you planning to use this functionality, i.e. what problem  
does this solve for you?  Perhaps there''s another approach to the  
problem.  Is this something that''s of major importance to your site?

If you''d like to add this as an enhancement request on our trac site,  
we''ll take it into account when we choose new enhancements to add to  
the new release of Puppet.  If it happened you were extra-industrious  
and sent us a patch to add this functionality to Puppet, we''d  
probably have no problem applying it after a bit of examination.

Here''s where you can add requests to the Puppet project
(you''ll need
to register first):

    < https://reductivelabs.com/cgi-bin/puppet.cgi/newticket >


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users







 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users