We''re currently going through a PCI audit process, and an internal scan by an auditor of our network came up with the following advisory on port 8139 on all of our puppet servers. Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf configuration files: SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Obviously, it''s a canned response assuming that a web server is listening on that port. Is there any way to disable the ''weak and medium ciphers'' on the default webrick server? Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang <doug.garstang@gmail.com> wrote:> We''re currently going through a PCI audit process, and an internal scan by > an auditor of our network came up with the following advisory on port 8139 > on all of our puppet servers. > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf > configuration files: > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > Obviously, it''s a canned response assuming that a web server is listening on > that port. Is there any way to disable the ''weak and medium ciphers'' on the > default webrick server?We actually had a feature request in about this recently that shouldn''t be too hard to find if you do a search. More people caring about this will lead us to prioritize it more, however... You really should move away from Webrick for production for several reasons, including this one. It''s not suggested for production use. If you move to Mongrel or Passenger with Apache, our two most common deployment methods, you can fully specify the strong ciphers.> Doug. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten <nigel@puppetlabs.com> writes:> We actually had a feature request in about this recently that shouldn''t > be too hard to find if you do a search. More people caring about this > will lead us to prioritize it more, however...> You really should move away from Webrick for production for several > reasons, including this one. It''s not suggested for production use.Webrick is very nice for the Puppet CA if one wants to run it on a separate system that doesn''t otherwise need a full web server. It allows the CA to run as a nicely stand-alone service, and the CA is not particularly performance-critical and doesn''t suffer from the performance issues of Webrick. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com> wrote:> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > <doug.garstang@gmail.com> wrote: > > We''re currently going through a PCI audit process, and an internal scan > by > > an auditor of our network came up with the following advisory on port > 8139 > > on all of our puppet servers. > > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf > > configuration files: > > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > > Obviously, it''s a canned response assuming that a web server is listening > on > > that port. Is there any way to disable the ''weak and medium ciphers'' on > the > > default webrick server? > > We actually had a feature request in about this recently that > shouldn''t be too hard to find if you do a search. More people caring > about this will lead us to prioritize it more, however... > > You really should move away from Webrick for production for several > reasons, including this one. It''s not suggested for production use. > > If you move to Mongrel or Passenger with Apache, our two most common > deployment methods, you can fully specify the strong ciphers. > > >Nigel, Well, I can go back and give Passenger another shot, but I didn''t pursue it originally because I wasn''t able to get the perfect combination of ruby, rack etc etc to make it work. It involves a lot of magic voodoo. Passenger is also installed from ruby gems which, as an ops person, makes my skin crawl. Also... I''m not sure if I understand this issue correctly, but the client itself runs the WEBrick server, correct? What is this for? Is this to allow puppetrun to be run from the server? If that''s the case, I would also have to move every client to Passenger or Mongrel was well. I''m not sure about Mongrel, but that means a rather complicated update on the clients, given passengers voodoo install magic. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neither Passenger, nor Mongrel, are that difficult to set up behind Apache but I will say that the Passenger instructions are quite user friendly. I attempted to provide the capability to modify the cipher sets in Puppet for my own interest, but this is actually a limitation in the Webrick codebase itself and I wasn''t quite up to modifying the Ruby guts when an Apache front-end was so simple to accomplish. That said, you could also use Webrick behind an Apache front end and it *should* work in passthrough mode but I haven''t tested it since Passenger and Mongrel were so straightforward. Additionally, several distributions have both Passenger and Mongrel available as native package from various repositories and they are both relatively easy to package yourself. Good luck! Trevor On 12/22/2010 07:24 PM, Douglas Garstang wrote:> On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com > <mailto:nigel@puppetlabs.com>> wrote: > > On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > <doug.garstang@gmail.com <mailto:doug.garstang@gmail.com>> wrote: > > We''re currently going through a PCI audit process, and an internal > scan by > > an auditor of our network came up with the following advisory on > port 8139 > > on all of our puppet servers. > > Resolution: Disable weak and medium ciphers in the http.conf or > ssl.conf > > configuration files: > > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > > Obviously, it''s a canned response assuming that a web server is > listening on > > that port. Is there any way to disable the ''weak and medium > ciphers'' on the > > default webrick server? > > We actually had a feature request in about this recently that > shouldn''t be too hard to find if you do a search. More people caring > about this will lead us to prioritize it more, however... > > You really should move away from Webrick for production for several > reasons, including this one. It''s not suggested for production use. > > If you move to Mongrel or Passenger with Apache, our two most common > deployment methods, you can fully specify the strong ciphers. > > > > Nigel, > > Well, I can go back and give Passenger another shot, but I didn''t pursue > it originally because I wasn''t able to get the perfect combination of > ruby, rack etc etc to make it work. It involves a lot of magic voodoo. > Passenger is also installed from ruby gems which, as an ops person, > makes my skin crawl. > > Also... I''m not sure if I understand this issue correctly, but the > client itself runs the WEBrick server, correct? What is this for? Is > this to allow puppetrun to be run from the server? If that''s the case, I > would also have to move every client to Passenger or Mongrel was well. > I''m not sure about Mongrel, but that means a rather complicated update > on the clients, given passengers voodoo install magic. > > Doug. > > > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.- -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaughan@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJNErcrAAoJECNCGV1OLcypjEQIAIARU754ebOWL96ewjP0C92v PD0vOW8YJFyx2C5ODbJesb0Mr8Y7cXFE5QeKca1N4q/bPlGTouumdGCJlv1cF2WY C99UB24TFvfeD0CqKtQUVDYNYUwyz+e1juZ+nPtBAvIq8pA+oMbmV7P3NSQSftJl pxR6M2syMi5Oq9YF4MAKGq1lH9WA7Df8y9kaAjbnP9QKWAGnVwOqFhuBlUcuvmjC h7kXY65//nub2V97KWBTkVE6ZG28geuXThunjb3zrYsyZro43FjZ3b9DU0A9DkAI Go7z3rzO4x68CczmXzVbCza46xUceXs846Ldb5oGFNI8JgClDXMG5/imyD1rbMQ=3tO9 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang <doug.garstang@gmail.com> wrote:> On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com> wrote: >> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >> <doug.garstang@gmail.com> wrote: >> > We''re currently going through a PCI audit process, and an internal scan >> > by >> > an auditor of our network came up with the following advisory on port >> > 8139 >> > on all of our puppet servers. >> > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf >> > configuration files: >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >> > Obviously, it''s a canned response assuming that a web server is >> > listening on >> > that port. Is there any way to disable the ''weak and medium ciphers'' on >> > the >> > default webrick server? >> >> We actually had a feature request in about this recently that >> shouldn''t be too hard to find if you do a search. More people caring >> about this will lead us to prioritize it more, however... >> >> You really should move away from Webrick for production for several >> reasons, including this one. It''s not suggested for production use. >> >> If you move to Mongrel or Passenger with Apache, our two most common >> deployment methods, you can fully specify the strong ciphers. >> >> > > Nigel, > Well, I can go back and give Passenger another shot, but I didn''t pursue it > originally because I wasn''t able to get the perfect combination of ruby, > rack etc etc to make it work. It involves a lot of magic voodoo. Passenger > is also installed from ruby gems which, as an ops person, makes my skin > crawl. > Also... I''m not sure if I understand this issue correctly, but the client > itself runs the WEBrick server, correct? What is this for? Is this to allow > puppetrun to be run from the server? If that''s the case, I would also have > to move every client to Passenger or Mongrel was well. I''m not sure about > Mongrel, but that means a rather complicated update on the clients, given > passengers voodoo install magic.That''s actually a good point. Are you running the puppet agent in daemon mode or scheduled out of cron? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <nigel@puppetlabs.com> wrote:> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang > <doug.garstang@gmail.com> wrote: > > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com> > wrote: > >> > >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > >> <doug.garstang@gmail.com> wrote: > >> > We''re currently going through a PCI audit process, and an internal > scan > >> > by > >> > an auditor of our network came up with the following advisory on port > >> > 8139 > >> > on all of our puppet servers. > >> > Resolution: Disable weak and medium ciphers in the http.conf or > ssl.conf > >> > configuration files: > >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > >> > Obviously, it''s a canned response assuming that a web server is > >> > listening on > >> > that port. Is there any way to disable the ''weak and medium ciphers'' > on > >> > the > >> > default webrick server? > >> > >> We actually had a feature request in about this recently that > >> shouldn''t be too hard to find if you do a search. More people caring > >> about this will lead us to prioritize it more, however... > >> > >> You really should move away from Webrick for production for several > >> reasons, including this one. It''s not suggested for production use. > >> > >> If you move to Mongrel or Passenger with Apache, our two most common > >> deployment methods, you can fully specify the strong ciphers. > >> > >> > > > > Nigel, > > Well, I can go back and give Passenger another shot, but I didn''t pursue > it > > originally because I wasn''t able to get the perfect combination of ruby, > > rack etc etc to make it work. It involves a lot of magic voodoo. > Passenger > > is also installed from ruby gems which, as an ops person, makes my skin > > crawl. > > Also... I''m not sure if I understand this issue correctly, but the client > > itself runs the WEBrick server, correct? What is this for? Is this to > allow > > puppetrun to be run from the server? If that''s the case, I would also > have > > to move every client to Passenger or Mongrel was well. I''m not sure about > > Mongrel, but that means a rather complicated update on the clients, given > > passengers voodoo install magic. > > That''s actually a good point. > > Are you running the puppet agent in daemon mode or scheduled out of cron? > >I''m running the puppet agent as a daemon. But... I''m still not quite following what has to happen on the clients. Are we saying that I have to replace the webrick server on the clients with Passenger? That''s a pretty heavy handed approach. This means that all the clients have to be running Apache..... Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote:> On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <nigel@puppetlabs.com> wrote: > On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang > <doug.garstang@gmail.com> wrote: > > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com> wrote: > >> > >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > >> <doug.garstang@gmail.com> wrote: > >> > We''re currently going through a PCI audit process, and an internal scan > >> > by > >> > an auditor of our network came up with the following advisory on port > >> > 8139 > >> > on all of our puppet servers. > >> > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf > >> > configuration files: > >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > >> > Obviously, it''s a canned response assuming that a web server is > >> > listening on > >> > that port. Is there any way to disable the ''weak and medium ciphers'' on > >> > the > >> > default webrick server? > >> > >> We actually had a feature request in about this recently that > >> shouldn''t be too hard to find if you do a search. More people caring > >> about this will lead us to prioritize it more, however... > >> > >> You really should move away from Webrick for production for several > >> reasons, including this one. It''s not suggested for production use. > >> > >> If you move to Mongrel or Passenger with Apache, our two most common > >> deployment methods, you can fully specify the strong ciphers. > >> > >> > > > > Nigel, > > Well, I can go back and give Passenger another shot, but I didn''t pursue it > > originally because I wasn''t able to get the perfect combination of ruby, > > rack etc etc to make it work. It involves a lot of magic voodoo. Passenger > > is also installed from ruby gems which, as an ops person, makes my skin > > crawl. > > Also... I''m not sure if I understand this issue correctly, but the client > > itself runs the WEBrick server, correct? What is this for? Is this to allow > > puppetrun to be run from the server? If that''s the case, I would also have > > to move every client to Passenger or Mongrel was well. I''m not sure about > > Mongrel, but that means a rather complicated update on the clients, given > > passengers voodoo install magic. > > That''s actually a good point. > > Are you running the puppet agent in daemon mode or scheduled out of cron? > > > I''m running the puppet agent as a daemon. > > But... I''m still not quite following what has to happen on the clients. Are we saying that I have to replace the webrick server on the clients with Passenger? That''s a pretty heavy handed approach. This means that all the clients have to be running Apache.....My understanding is that the client doesn''t even use Webrick unless you use "listen=true". -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is correct. A simple way around this is to set up a single use ssh key that only runs the puppetd -t command (or whatever equivalent you like). I personally prefer to run puppetd out of cron so that it doesn''t take up any resources unless it needs to run. Trevor On 12/23/2010 07:52 PM, Patrick wrote:> > On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: > >> On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <nigel@puppetlabs.com >> <mailto:nigel@puppetlabs.com>> wrote: >> >> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang >> <doug.garstang@gmail.com <mailto:doug.garstang@gmail.com>> wrote: >> > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten >> <nigel@puppetlabs.com <mailto:nigel@puppetlabs.com>> wrote: >> >> >> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >> >> <doug.garstang@gmail.com <mailto:doug.garstang@gmail.com>> wrote: >> >> > We''re currently going through a PCI audit process, and an >> internal scan >> >> > by >> >> > an auditor of our network came up with the following advisory >> on port >> >> > 8139 >> >> > on all of our puppet servers. >> >> > Resolution: Disable weak and medium ciphers in the http.conf >> or ssl.conf >> >> > configuration files: >> >> > SSLCipherSuite >> ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >> >> > Obviously, it''s a canned response assuming that a web server is >> >> > listening on >> >> > that port. Is there any way to disable the ''weak and medium >> ciphers'' on >> >> > the >> >> > default webrick server? >> >> >> >> We actually had a feature request in about this recently that >> >> shouldn''t be too hard to find if you do a search. More people >> caring >> >> about this will lead us to prioritize it more, however... >> >> >> >> You really should move away from Webrick for production for several >> >> reasons, including this one. It''s not suggested for production use. >> >> >> >> If you move to Mongrel or Passenger with Apache, our two most >> common >> >> deployment methods, you can fully specify the strong ciphers. >> >> >> >> >> > >> > Nigel, >> > Well, I can go back and give Passenger another shot, but I >> didn''t pursue it >> > originally because I wasn''t able to get the perfect combination >> of ruby, >> > rack etc etc to make it work. It involves a lot of magic voodoo. >> Passenger >> > is also installed from ruby gems which, as an ops person, makes >> my skin >> > crawl. >> > Also... I''m not sure if I understand this issue correctly, but >> the client >> > itself runs the WEBrick server, correct? What is this for? Is >> this to allow >> > puppetrun to be run from the server? If that''s the case, I would >> also have >> > to move every client to Passenger or Mongrel was well. I''m not >> sure about >> > Mongrel, but that means a rather complicated update on the >> clients, given >> > passengers voodoo install magic. >> >> That''s actually a good point. >> >> Are you running the puppet agent in daemon mode or scheduled out >> of cron? >> >> >> I''m running the puppet agent as a daemon. >> >> But... I''m still not quite following what has to happen on the >> clients. Are we saying that I have to replace the webrick server on >> the clients with Passenger? That''s a pretty heavy handed approach. >> This means that all the clients have to be running Apache..... > > My understanding is that the client doesn''t even use Webrick unless you > use "listen=true". > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.- -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaughan@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJNE/ZDAAoJECNCGV1OLcypJmMIAKzQQSHNX5H01nx7fSYGxvpw lQUw49+mdKYP/EhzKLf2fgD+POrOZGsw9QvBPkwcdoHQJPX4ywx2iWMZ1tvgIQCw 928udnSg+KxdHQs8JfwfvIExc82W3LvnNciD9/Nt/7qExzT0cHlWMh42vYG0sOpp bFyblwKHo8fiExwTjpaer6fQmh99GsR6COHTrTHi6+7leFUcpjLG9KXAX3Lyan3A PiQ9vQUvg/JxYODK9kMVDG420z2pn2LAl+Y8ZUaYScEnqKdWSHp7M54nOu5VZpRV XeUTKw3bSwQVcLFDPdAX5RIURqNYimmHFjVVsOeOwPu+4KzVx79wK102vb+BfBo=gMq2 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Dec 23, 2010 at 4:52 PM, Patrick <kc7zzv@gmail.com> wrote:> > On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: > > On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <nigel@puppetlabs.com>wrote: > >> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang >> <doug.garstang@gmail.com> wrote: >> > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com> >> wrote: >> >> >> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >> >> <doug.garstang@gmail.com> wrote: >> >> > We''re currently going through a PCI audit process, and an internal >> scan >> >> > by >> >> > an auditor of our network came up with the following advisory on port >> >> > 8139 >> >> > on all of our puppet servers. >> >> > Resolution: Disable weak and medium ciphers in the http.conf or >> ssl.conf >> >> > configuration files: >> >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >> >> > Obviously, it''s a canned response assuming that a web server is >> >> > listening on >> >> > that port. Is there any way to disable the ''weak and medium ciphers'' >> on >> >> > the >> >> > default webrick server? >> >> >> >> We actually had a feature request in about this recently that >> >> shouldn''t be too hard to find if you do a search. More people caring >> >> about this will lead us to prioritize it more, however... >> >> >> >> You really should move away from Webrick for production for several >> >> reasons, including this one. It''s not suggested for production use. >> >> >> >> If you move to Mongrel or Passenger with Apache, our two most common >> >> deployment methods, you can fully specify the strong ciphers. >> >> >> >> >> > >> > Nigel, >> > Well, I can go back and give Passenger another shot, but I didn''t pursue >> it >> > originally because I wasn''t able to get the perfect combination of ruby, >> > rack etc etc to make it work. It involves a lot of magic voodoo. >> Passenger >> > is also installed from ruby gems which, as an ops person, makes my skin >> > crawl. >> > Also... I''m not sure if I understand this issue correctly, but the >> client >> > itself runs the WEBrick server, correct? What is this for? Is this to >> allow >> > puppetrun to be run from the server? If that''s the case, I would also >> have >> > to move every client to Passenger or Mongrel was well. I''m not sure >> about >> > Mongrel, but that means a rather complicated update on the clients, >> given >> > passengers voodoo install magic. >> >> That''s actually a good point. >> >> Are you running the puppet agent in daemon mode or scheduled out of cron? >> >> > I''m running the puppet agent as a daemon. > > But... I''m still not quite following what has to happen on the clients. Are > we saying that I have to replace the webrick server on the clients with > Passenger? That''s a pretty heavy handed approach. This means that all the > clients have to be running Apache..... > > > My understanding is that the client doesn''t even use Webrick unless you use > "listen=true". > >Right... I do have listen=true on the clients because I want to be able to trigger puppet to run on a number of hosts centrally with puppetrun. If I set listen != true, I can''t do this. Also... if puppet is running from cron, you can''t do that either. Replacing webrick with passenger isn''t really feasible since passenger isn''t available as a nice simple RPM for CentOS 5.5, and I don''t know what magic the gems do under the covers in order to build my own passenger RPM. I would also then need to have apache running on every single client. Doug -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
open that port only to your puppetmaster (or wher ever you are "kicking" from)? Ohad On Fri, Dec 24, 2010 at 7:42 AM, Douglas Garstang <doug.garstang@gmail.com>wrote:> > > On Thu, Dec 23, 2010 at 4:52 PM, Patrick <kc7zzv@gmail.com> wrote: > >> >> On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: >> >> On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <nigel@puppetlabs.com>wrote: >> >>> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang >>> <doug.garstang@gmail.com> wrote: >>> > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <nigel@puppetlabs.com> >>> wrote: >>> >> >>> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >>> >> <doug.garstang@gmail.com> wrote: >>> >> > We''re currently going through a PCI audit process, and an internal >>> scan >>> >> > by >>> >> > an auditor of our network came up with the following advisory on >>> port >>> >> > 8139 >>> >> > on all of our puppet servers. >>> >> > Resolution: Disable weak and medium ciphers in the http.conf or >>> ssl.conf >>> >> > configuration files: >>> >> > SSLCipherSuite >>> ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >>> >> > Obviously, it''s a canned response assuming that a web server is >>> >> > listening on >>> >> > that port. Is there any way to disable the ''weak and medium ciphers'' >>> on >>> >> > the >>> >> > default webrick server? >>> >> >>> >> We actually had a feature request in about this recently that >>> >> shouldn''t be too hard to find if you do a search. More people caring >>> >> about this will lead us to prioritize it more, however... >>> >> >>> >> You really should move away from Webrick for production for several >>> >> reasons, including this one. It''s not suggested for production use. >>> >> >>> >> If you move to Mongrel or Passenger with Apache, our two most common >>> >> deployment methods, you can fully specify the strong ciphers. >>> >> >>> >> >>> > >>> > Nigel, >>> > Well, I can go back and give Passenger another shot, but I didn''t >>> pursue it >>> > originally because I wasn''t able to get the perfect combination of >>> ruby, >>> > rack etc etc to make it work. It involves a lot of magic voodoo. >>> Passenger >>> > is also installed from ruby gems which, as an ops person, makes my skin >>> > crawl. >>> > Also... I''m not sure if I understand this issue correctly, but the >>> client >>> > itself runs the WEBrick server, correct? What is this for? Is this to >>> allow >>> > puppetrun to be run from the server? If that''s the case, I would also >>> have >>> > to move every client to Passenger or Mongrel was well. I''m not sure >>> about >>> > Mongrel, but that means a rather complicated update on the clients, >>> given >>> > passengers voodoo install magic. >>> >>> That''s actually a good point. >>> >>> Are you running the puppet agent in daemon mode or scheduled out of cron? >>> >>> >> I''m running the puppet agent as a daemon. >> >> But... I''m still not quite following what has to happen on the clients. >> Are we saying that I have to replace the webrick server on the clients with >> Passenger? That''s a pretty heavy handed approach. This means that all the >> clients have to be running Apache..... >> >> >> My understanding is that the client doesn''t even use Webrick unless you >> use "listen=true". >> >> > Right... I do have listen=true on the clients because I want to be able to > trigger puppet to run on a number of hosts centrally with puppetrun. If I > set listen != true, I can''t do this. Also... if puppet is running from cron, > you can''t do that either. Replacing webrick with passenger isn''t really > feasible since passenger isn''t available as a nice simple RPM for CentOS > 5.5, and I don''t know what magic the gems do under the covers in order to > build my own passenger RPM. I would also then need to have apache running on > every single client. > > Doug > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Dec 24, 2010 at 7:42 AM, Douglas Garstang <doug.garstang@gmail.com>wrote:> > Right... I do have listen=true on the clients because I want to be able to > trigger puppet to run on a number of hosts centrally with puppetrun. If I > set listen != true, I can''t do this. Also... if puppet is running from cron, > you can''t do that either. Replacing webrick with passenger isn''t really > feasible since passenger isn''t available as a nice simple RPM for CentOS > 5.5, and I don''t know what magic the gems do under the covers in order to > build my own passenger RPM. I would also then need to have apache running on > every single client. > >btw: thats not accurate, you can use the puppetlisten/puppetrun from the ext [1] directory, which stand as its on service, but doesnt use webrick (and use as many system resources as puppet). Ohad [1] - https://github.com/puppetlabs/puppet/tree/master/ext/puppetlisten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Dec 23, 2010 at 10:48 AM, Douglas Garstang <doug.garstang@gmail.com> wrote:> On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <nigel@puppetlabs.com> wrote:>> That''s actually a good point. >> >> Are you running the puppet agent in daemon mode or scheduled out of cron? >> > > I''m running the puppet agent as a daemon. > But... I''m still not quite following what has to happen on the clients. Are > we saying that I have to replace the webrick server on the clients with > Passenger? That''s a pretty heavy handed approach. This means that all the > clients have to be running Apache.....No, that''s not what I''m saying. I''m saying we''ve traditionally said that using Apache with a backend resolves this for the server, but that we''ve failed to consider the agent on a node in listen mode. http://projects.puppetlabs.com/issues/5529 We didn''t actually consider the listen mode of the node agent in that bug. I''ve updated it and bumped the priority. It''s not reasonable for all your nodes to be running Apache. We have some workarounds in this thread, but we should have first class support for avoiding weak ciphers on the node when running in listen mode. Anyone who cares about this issue, please watch or vote that bug above so we can prioritize accordingly. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.