puppet SSLv3 fallout?

Thu, 06 Nov 2014 02:09:07 -0800 

i am new to puppet and a bit in the dark.
i am trying to run puppet master and agent
on the same machine (Nov 5 snapshot):

$ sudo puppet agent -t
Info: Creating a new SSL key for myhost
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for myhost
Info: Certificate Request fingerprint (SHA256): 
87:A6:96:54:03:DE:BB:6A:BC:E1:33:B7:75:3A:F0:9D:29:52:7A:81:66:A5:80:29:28:2B:CE:34:21:44:56:9B
Exiting; no certificate found and waitforcert is disabled

$ sudo puppet cert sign myhost
Notice: Signed certificate request for myhost
Notice: Removing file Puppet::SSL::CertificateRequest myhost at 
'/etc/puppet/ssl/ca/requests/myhost.pem'

$ sudo puppet agent -t
Info: Caching certificate for myhost
Error: Could not request certificate: SSL_connect returned=1 errno=0 
state=SSLv3 read server certificate B: certificate verify failed: [certificate 
revoked for /CN=myhost]
Exiting; failed to retrieve certificate and waitforcert is disabled


could this be because of the recent disabling of SSLv3?

i found this bit in puppet/util/monkey_patches.rb:

# (#19151) Reject all SSLv2 ciphers and handshakes
require 'openssl'
class OpenSSL::SSL::SSLContext
  if DEFAULT_PARAMS[:options]
    DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | 
OpenSSL::SSL::OP_NO_SSLv3
  else
    DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 | 
OpenSSL::SSL::OP_NO_SSLv3
  end
  DEFAULT_PARAMS[:ciphers] << ':!SSLv2'

  alias __original_initialize initialize
  private :__original_initialize

  def initialize(*args)
    __original_initialize(*args)
    params = {
      :options => DEFAULT_PARAMS[:options],
      :ciphers => DEFAULT_PARAMS[:ciphers],
    }
    set_params(params)
  end
end

and SSLv3 is also mentioned in puppet/network/http/webrick.rb:

class Puppet::Network::HTTP::WEBrick
  CIPHERS = 
"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"

then there is this ticket that seems to go nowhere:
https://tickets.puppetlabs.com/browse/PUP-1521

and finally this article was not very helpful for me:
http://puppetlabs.com/blog/impact-assessment-sslv3-vulnerability-poodle-attack

-f
-- 
nobody can be exactly like me.  even i have trouble doing so.

Reply via email to