| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
We provide an Apache vhost configuration for users that want to run a
Puppet master using Apache and Passenger. The configuration was added in
d85d73c (five years ago, roughly) and set the SSLProtocol and
SSLCipherSuite directives using the assumptions about cryptography at
the time. As part of PUP-2582 commit 05af20b70 updated the SSL cipher
suite and protocol settings to remove some of the most vulnerable
ciphers, but still contained some relaxed settings to ensure
compatibility with as many platforms as possible.
-- Summary
This commit updates the SSLProtocol and SSLCipherSuite directives to
ensure we only use secure ciphers while continuing to function on all
supported platforms. The most notable difference is that this change
switches the cipher selection from a blacklist where all ciphers are
added and then selectively removed, to a whitelist where only known safe
ciphers are allowed. The cipher suite has been selected using the
guidelines laid out by the Applied Crypto Hardening paper[0].
-- Overall cipher selection
This cipher suite was chosen by selecting for the following criteria:
* TLS 1.0, 1.1, 1.2
* Perfect forward secrecy/ephemeral Diffie Hellman where possible
* Preferring strong MACs (SHA-2) where possible
* GCM as the authenticated encryption scheme where possible
* Always falling back to reasonably acceptable schemes for maximum
platform compatibility
The resulting cipher suite has the following implications:
TLSv1.2 is preferred over TLSv1.0, but is still provides reasonable
ciphers with TLSv1.0.
-- Key exchange
Ephemeral Diffie Hellman and Ephemeral Elliptic Curve Diffie Hellman are
used for key exchange. EDH is preferred over EECDH due to ongoing
concerns with potential weaknesses in elliptic curve cryptography, but
EECDH is still included due to the performance benefits of EECDH over
EDH.[1] Non-ephemeral Diffie Hellman is not used to ensure perfect
forward secrecy. If EDH or EECDH are not available, key exchange will be
done using RSA for compatibility with legacy SSL libraries.
-- Authentication
RSA is used for authentication as it works in most of today's setups and
modern implementations are resistant to attack for the foreseeable future.
-- Encryption
AES256 and CAMELLIA256 count as very strong ciphers at the moment, but
if these algorithms are not available then AES128 or CAMELLIA128 will be
used as fallbacks since they are still reasonably strong. CAMELLIA is
preferred over AES due to the decision by NSS to prefer CAMELLIA, with
the following rationale:
National ciphers such as Camellia are listed before international ciphers
such as AES and RC4 to allow servers that prefer Camellia to be able to
negotiate Camellia without having to disable AES and RC4, which are needed
for interoperability with clients that don't yet implement Camellia.[2]
-- Message Authentication (MAC)
Message authentication prefers AEAD with GCM, and then falls back to
SHA256. If ECDHE is used SHA384 will be used when available. If no
better option is available SHA1 will be used.
-- Fallback
When no better cipher is available, CAMELLIA128-SHA and then AES128-SHA
(with RSA for authentication) will be used, for cases such as OpenSSL
0.9.8 which does not provide support for ECC and TLSv1.1 or above.
-- Blacklisted algorithms
On top of the algorithms blacklisted in 05af20b7, ECDSA has been
disabled due to outstanding concerns about weaknesses to cache timing
attacks.[3]
[0] "Applied Crypto Hardening": https://bettercrypto.org/static/applied-crypto-hardening.pdf
[1] "A Note on Elliptic Curve Cryptography" "Applied Crypto Hardening section 3.7"
[2] "Document the policy for the order of cipher suites in SSL_ImplementedCiphers.": https://bugzilla.mozilla.org/show_bug.cgi?id=430875
[3] "How to design an elliptic-curve signature system" http://blog.cr.yp.to/20140323-ecdsa.html
Thanks to Aaron Zauner <azet@azet.org> and bettercrypto.org for
generating and submitting the updated cipher suite.
Commit message amended by Adrien Thebo <adrien@puppetlabs.com>
|
|
In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
directives were specified then the specified file(s) would be checked
when establishing an SSL connection. Apache 2.4+ the
SSLCARevocationCheck directive was added to control how CRLs were
checked when verifying a connection and had a default value of none.
This means that Apache defaults to ignoring CRLs even if paths are
specified to CRL files.
This commit updates the debian postinst script for the
puppetmaster-passenger package to set SSLCARevocationCheck directive to
'chain' when Apache 2.4 is installed. This ensures that the the
puppetmaster-passenger vhost respects CRL files in the same way that
Apache 2.2 does by default.
Apache 2.2
|
|
Previously the apache vhost defined an SSLCipherSuite which included
several weak ciphers. This commit disables the following algorithms:
aNULL, eNULL, DES, 3DES, IDEA, SEED, DSS, PSK, RC4, MD5
Second, previously LOW, SSLv2, and EXP were removed, but not
killed from the list, which meant that they could be added again in
subsequent declarations.
Third, ALL:!ADH meant that AECDH was enabled. This commit uses !aNULL
to disable all anonymous authentication algorithms. It also explicitly
specifies !eNULL (anonymous encryption algorithms).
Fourth, we were only enabling SSLv3 and TLSv1, but not TLSv1.1 or
TLSv1.2. TLSv1.2 protects against attacks known to work against SSLv3
and TLSv1.0.
Finally, SSLHonorCipherOrder is set to on, because certain clients do
not send ciphers in the correct preferred order, and this setting will
help mitigate that problem.
Thanks to Aaron Zauner <azet@azet.org> for bringing this to our attention.
|
|
The ext/rack directory had an outdated README file and an ancient manifest.pp
file, and the useful files (config.ru and the example vhost) were buried in a
subdirectory.
This commit removes the old files, moves the good files up a level, and adds a
comment to the vhost pointing to the maintained passenger documentation.
|
|
Without this patch the config.ru example only contains the --confdir
argument. This is a problem because when Puppet starts from config.ru,
it will automatically be switched by Passenger to the EUID of the owner
of the file. Puppet will still try to write to the default vardir of
~/.puppet/ in this situation which may be a problem because $HOME might
be ~root.
This patch fixes the problem by adding the --vardir option to the
example with the default value of /var/lib/puppet
|
|
Remove references to mongrel setups, which are no longer supported.
|
|
Warnings are logged both when receiving a request and issuing a request
so that both the master and agent logs contain warnings. This increases
visibilty since the master logs are looked at more frequently, but also
ensures that the warnings make it into agent reports.
The new `Puppet::Network::Authentication` module contains the logic for
logging the expiration warnings (certificates are part of the
authentication process, hence the name). It uses a rate-limited logger
so that identical warnings as a result of multiple requests in the same
run are not logged. The minimum time between log messages is set to the
`runinterval` setting, since it is a good tradeoff between ensuring
visibility and noisiness.
|
|
Puppet 3.x reads settings from both ~/.puppet/puppet.conf and the system
puppet.conf without this patch applied. This is a problem because it
makes it difficult to determine where to load plugins and extensions
from at runtime. Merging the configuration file also makes it more
difficult to explain where a particular setting is taking effect.
This patch makes the intended `puppet.conf` reading behavior the
following:
1: If provided, use explicit puppet.conf in `--confdir`
2: If root, use system puppet.conf
3: Otherwise, use ~/.puppet/puppet.conf
This patch also changes the behavior of rack puppet master applications.
We now intended for the rack configuration file, `config.ru` to
explicitly set `--confdir` to avoid reading from
`~/.puppet/puppet.conf`. Please see the example in
`ext/rack/files/config.ru` for an up to date rack configuration.
|
|
This is just slightly more readable.
|
|
There is some initialization that happens in CommandLine.rb
(such as parsing the puppet config file) which was being
bypassed when launching puppetmaster as a Rack/Passenger app.
This commit tweaks the rack config to call into CommandLine
directly, which is unfortunate but works for now.
|
|
Without this patch the handling of
X-Forwarded-For headers is insecure in a
default apache conf supplied with puppet.
This patch ensures X-Forwarded-For headers
are dropped.
Signed-off-by: Moses Mendoza <moses@puppetlabs.com>
|
|
|
|
|
|
|
|
|
|
This reverts commit c702f76b271515e9c42dcb923d379fbfac4c83cd and turns it
into a documentation only fix. As it turns out, ENV should have never been
used at all, as the Rack docs say nothing about it *and* Passenger's
behaviour in 2.2.3 + 2.2.4 was completely broken and still is half-way broken
in 2.2.5 (but is OK with the Rack specs).
|
|
Fix #2386, by checking either Request.env or ENV for the SSL environment
variables. This is necessary as Passenger 2.2.3 changed the location of
these vars, even though the Rack spec says nothing about ENV or these
variables.
|
|
If you happen to already have puppet code somewhere in your ruby path, you
might get unexpected behaviour when trying to run puppetmaster with passenger.
Suggesting that the path to puppet/lib gets prepended instead of appended to
RUBYLIB could save time to some.
Signed-off-by: Marc Fournier <marc.fournier@camptocamp.com>
|
|
|
|
|
|
|
