Now that we've deprecated TLSv1.0/TLSv1.1 from our main caching cluster, it makes sense to get rid of it even from the compat level on ssl_ciphersuite. This would mean that the puppetmasters would require TLSv1.2. @MoritzMuehlenhoff mentioned that jessie environments need some extra checks before proceeding.
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
puppetmaster: update web site to use strong ssl ciphers | operations/puppet | production | +2 -2 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Vgutierrez | T238038 Start warning and deprecation process for all legacy TLS | |||
Resolved | jbond | T242991 Analyze the impact of removing TLSv1/v1.1 on puppetmasters |
Event Timeline
Comment Actions
I created a quick ruby script
#!/usr/bin/env ruby require "open-uri" require 'json' print(JSON.pretty_generate(JSON.parse(URI.parse('https://www.howsmyssl.com/a/check').read)))
and ran it on a jessie docker instance and it seems to support TLS1.2
{ "given_cipher_suites": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_RC4_128_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" ], "ephemeral_keys_supported": true, "session_ticket_supported": true, "tls_compression_supported": false, "unknown_cipher_suite_supported": false, "beast_vuln": false, "able_to_detect_n_minus_one_splitting": false, "insecure_cipher_suites": { "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA": [ "uses RC4 which has insecure biases in its output" ], "TLS_ECDHE_RSA_WITH_RC4_128_SHA": [ "uses RC4 which has insecure biases in its output" ], "TLS_RSA_WITH_RC4_128_SHA": [ "uses RC4 which has insecure biases in its output" ] }, "tls_version": "TLS 1.2", "rating": "Bad" }
Comment Actions
@jbond any further thoughts here? We do still have ~55 jessies:
conf[2001-2003].codfw.wmnet,dbmonitor1001.wikimedia.org,helium.eqiad.wmnet,heze.codfw.wmnet,kraz.wikimedia.org,mc[2019-2027,2029-2037].codfw.wmnet,mc[1019-1036].eqiad.wmnet,mwlog2001.codfw.wmnet,mwlog1001.eqiad.wmnet,scb[2001-2006].codfw.wmnet,scb[1001-1004].eqiad.wmnet
Comment Actions
Change 629442 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] puppetmaster: update web site to use strong ssl ciphers
Comment Actions
Sorry this dropped of my radar i have created a change we can test this tomorrow but i suspect it should just work®
Comment Actions
Change 629442 merged by Jbond:
[operations/puppet@production] puppetmaster: update web site to use strong ssl ciphers
Comment Actions
This has been deployed and every thing looks good, closing, please re open if you see any issues