<feed xmlns='http://www.w3.org/2005/Atom'>
<title>puppet/spec, branch master</title>
<subtitle>[no description]</subtitle>
<id>https://git.osdyson.ru/pkg-puppet/puppet/atom?h=master</id>
<link rel='self' href='https://git.osdyson.ru/pkg-puppet/puppet/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/'/>
<updated>2014-10-21T00:01:48Z</updated>
<entry>
<title>(PUP-3467) Reject SSLv3 when initiating SSL connections</title>
<updated>2014-10-21T00:01:48Z</updated>
<author>
<name>Josh Cooper</name>
<email>josh@puppetlabs.com</email>
</author>
<published>2014-10-20T22:00:22Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=885838a0c1705ad0dee2fa168a992188f79faf99'/>
<id>urn:sha1:885838a0c1705ad0dee2fa168a992188f79faf99</id>
<content type='text'>
Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.

This commit ensures puppet will not downgrade to SSLv3 by setting the
`OpenSSL::SSL::OP_NO_SSLv3` bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".

[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
</content>
</entry>
<entry>
<title>(PUP-3467) Update webrick ciphersuites to match passenger</title>
<updated>2014-10-21T00:01:47Z</updated>
<author>
<name>Josh Cooper</name>
<email>josh@puppetlabs.com</email>
</author>
<published>2014-10-20T21:45:37Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=67b89bdda95149cc2df7abac2da8d906ccd551ce'/>
<id>urn:sha1:67b89bdda95149cc2df7abac2da8d906ccd551ce</id>
<content type='text'>
Previously, puppet's webrick server did not specify which ciphersuites
it would accept. Depending on the ruby and openssl, the default set of
ciphersuites is:

    $ ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]'
    ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Note that "ALL:!ADH" does not exclude AECDH, and the default param
string includes "LOW", e.g. DES-CBC-SHA.

This commit updates the webrick ciphersuites to match the value used
in passenger in commit 204b2974b. The resulting ciphersuites are:

    [["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256],
     ["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
     ["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
     ["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
     ["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
     ["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
     ["DHE-RSA-CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
     ["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
     ["DHE-RSA-CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
     ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
     ["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
     ["CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
     ["AES256-SHA", "TLSv1/SSLv3", 256, 256],
     ["CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
     ["AES128-SHA", "TLSv1/SSLv3", 128, 128]]
</content>
</entry>
<entry>
<title>(PUP-3467) Reject SSLv3 connections in webrick</title>
<updated>2014-10-20T22:28:43Z</updated>
<author>
<name>Josh Cooper</name>
<email>josh@puppetlabs.com</email>
</author>
<published>2014-10-20T21:21:34Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=cb6bc786db52c604f112141e29b8d7b1427bfafa'/>
<id>urn:sha1:cb6bc786db52c604f112141e29b8d7b1427bfafa</id>
<content type='text'>
Webrick will now reject SSLv3 connections. If an SSL client tries to
connection with SSLv3, webrick+openssl will issue an sslv3 alert
handshake failure.
</content>
</entry>
<entry>
<title>(PUP-3201) Stop using :undef for parameters in 4x</title>
<updated>2014-10-16T23:37:46Z</updated>
<author>
<name>Andrew Parker</name>
<email>andy@puppetlabs.com</email>
</author>
<published>2014-10-16T23:37:46Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=d4b882760269060287bd8325548eea2a29f64506'/>
<id>urn:sha1:d4b882760269060287bd8325548eea2a29f64506</id>
<content type='text'>
The :undef symbol was still leaking all over the place internally. This
caused type inference to sometimes end up with Runtime[ruby, Symbol]. By
using nil instead of :undef, everything can be much more
straightforward. Once the code removal for puppet 4 comes into play even
more oddities around how resource parameters are handled can be
performed.
</content>
</entry>
<entry>
<title>(maint) Only test lookup() with future parser</title>
<updated>2014-10-16T21:20:00Z</updated>
<author>
<name>Andrew Parker</name>
<email>andy@puppetlabs.com</email>
</author>
<published>2014-10-16T21:20:00Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=a40cfd624fbc7380690d76a6cb691225e0e9eeba'/>
<id>urn:sha1:a40cfd624fbc7380690d76a6cb691225e0e9eeba</id>
<content type='text'>
The lookup function only works when the future parser is in effect. This
changes the spec tests to turn on the future parser.
</content>
</entry>
<entry>
<title>Merge pull request #3195 from hlindberg/PUP-3401_fix-pattern-type</title>
<updated>2014-10-16T18:17:56Z</updated>
<author>
<name>Andrew Parker</name>
<email>andy@puppetlabs.com</email>
</author>
<published>2014-10-16T18:17:56Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=873a93ed5b5f0bdbded4bc739a601ef77cd19555'/>
<id>urn:sha1:873a93ed5b5f0bdbded4bc739a601ef77cd19555</id>
<content type='text'>
(PUP-3401) Fix type calculations of "all Patterns"</content>
</entry>
<entry>
<title>(PUP-3334) Add test to ensure cache is cleared</title>
<updated>2014-10-15T22:55:27Z</updated>
<author>
<name>Hailee Kenney</name>
<email>hailee@puppetlabs.com</email>
</author>
<published>2014-10-14T17:48:27Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=04b47bebf80c14b0e40a6bde7888e58fcfcbad72'/>
<id>urn:sha1:04b47bebf80c14b0e40a6bde7888e58fcfcbad72</id>
<content type='text'>
In order to ensure that we don't encounter this issue again, add
a test case to environments_spec to ensure that the cache is being
properly cleared.

Additionally, fix a small bug in environment's list method where
a string should been converted to a symbol.
</content>
</entry>
<entry>
<title>Merge pull request #3164 from ffrank/ticket/3.7.x/PUP-3357-purge-unnamed-ssh-keys</title>
<updated>2014-10-15T18:03:11Z</updated>
<author>
<name>Kylo Ginsberg</name>
<email>kylo@puppetlabs.com</email>
</author>
<published>2014-10-15T18:03:11Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=a8060647f705ee2b2db766bd2b87963ee6f5adbd'/>
<id>urn:sha1:a8060647f705ee2b2db766bd2b87963ee6f5adbd</id>
<content type='text'>
(PUP-3357) purge unnamed ssh keys</content>
</entry>
<entry>
<title>(PUP-3357) integration test for purging of unnamed ssh authorized keys</title>
<updated>2014-10-15T17:52:45Z</updated>
<author>
<name>Felix Frank</name>
<email>Felix.Frank@Alumni.TU-Berlin.de</email>
</author>
<published>2014-10-13T22:25:53Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=2a0eaac7321f199e023fd9500cfab64cfd6544ce'/>
<id>urn:sha1:2a0eaac7321f199e023fd9500cfab64cfd6544ce</id>
<content type='text'>
Add an integration test with an ssh keyfile in which two keys have no name
and make sure that both are successfully purged.
</content>
</entry>
<entry>
<title>(PUP-3357) unit tests for the purging of multiple unnamed keys</title>
<updated>2014-10-15T17:52:45Z</updated>
<author>
<name>Felix Frank</name>
<email>Felix.Frank@Alumni.TU-Berlin.de</email>
</author>
<published>2014-10-06T22:47:09Z</published>
<link rel='alternate' type='text/html' href='https://git.osdyson.ru/pkg-puppet/puppet/commit/?id=c9fd8dcb8c1860e80215a3d9fa1ee7fedec0ec2e'/>
<id>urn:sha1:c9fd8dcb8c1860e80215a3d9fa1ee7fedec0ec2e</id>
<content type='text'>
Just makes sure that the user type and ssh_authorized_keys provider
generate pseudo-names for keys following the same pattern.
</content>
</entry>
</feed>
