On Thu, Dec 23, 2010 at 4:52 PM, Patrick <kc7...@gmail.com> wrote: > > On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: > > On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <ni...@puppetlabs.com>wrote: > >> On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang >> <doug.garst...@gmail.com> wrote: >> > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com> >> wrote: >> >> >> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >> >> <doug.garst...@gmail.com> wrote: >> >> > We're currently going through a PCI audit process, and an internal >> scan >> >> > by >> >> > an auditor of our network came up with the following advisory on port >> >> > 8139 >> >> > on all of our puppet servers. >> >> > Resolution: Disable weak and medium ciphers in the http.conf or >> ssl.conf >> >> > configuration files: >> >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >> >> > Obviously, it's a canned response assuming that a web server is >> >> > listening on >> >> > that port. Is there any way to disable the 'weak and medium ciphers' >> on >> >> > the >> >> > default webrick server? >> >> >> >> We actually had a feature request in about this recently that >> >> shouldn't be too hard to find if you do a search. More people caring >> >> about this will lead us to prioritize it more, however... >> >> >> >> You really should move away from Webrick for production for several >> >> reasons, including this one. It's not suggested for production use. >> >> >> >> If you move to Mongrel or Passenger with Apache, our two most common >> >> deployment methods, you can fully specify the strong ciphers. >> >> >> >> >> > >> > Nigel, >> > Well, I can go back and give Passenger another shot, but I didn't pursue >> it >> > originally because I wasn't able to get the perfect combination of ruby, >> > rack etc etc to make it work. It involves a lot of magic voodoo. >> Passenger >> > is also installed from ruby gems which, as an ops person, makes my skin >> > crawl. >> > Also... I'm not sure if I understand this issue correctly, but the >> client >> > itself runs the WEBrick server, correct? What is this for? Is this to >> allow >> > puppetrun to be run from the server? If that's the case, I would also >> have >> > to move every client to Passenger or Mongrel was well. I'm not sure >> about >> > Mongrel, but that means a rather complicated update on the clients, >> given >> > passengers voodoo install magic. >> >> That's actually a good point. >> >> Are you running the puppet agent in daemon mode or scheduled out of cron? >> >> > I'm running the puppet agent as a daemon. > > But... I'm still not quite following what has to happen on the clients. Are > we saying that I have to replace the webrick server on the clients with > Passenger? That's a pretty heavy handed approach. This means that all the > clients have to be running Apache..... > > > My understanding is that the client doesn't even use Webrick unless you use > "listen=true". > > Right... I do have listen=true on the clients because I want to be able to trigger puppet to run on a number of hosts centrally with puppetrun. If I set listen != true, I can't do this. Also... if puppet is running from cron, you can't do that either. Replacing webrick with passenger isn't really feasible since passenger isn't available as a nice simple RPM for CentOS 5.5, and I don't know what magic the gems do under the covers in order to build my own passenger RPM. I would also then need to have apache running on every single client.
Doug -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
