Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Justin Stoller commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" We typically target the latest and earliest versions of a major OS release. ie, we have Redhat 7.1 in our CI system for that compatibility guarantee, and that image comes with Java 1.8 b08. I have a feeling we can make an exception that users should have been upgrading to builds of the JDK with better security, even if they've stayed on jdk8. I'll have to run that by RE or Product first and get the images updated. I'm out next week so I won't get an answer for a bit. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.141709.1613182200035%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Valters Jansons commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Josh Cooper, Justin Stoller, Java support matrix from Installing Puppet Server says Puppet 2.x supports Java 7 and 8 Puppet 5.x supports Java 8 Puppet 6.x and later support Java 8 and 11 Java™ SE Development Kit 1.6.0u101 and 1.7.0u85 added the jdk.tls.ephemeralDHKeySize system property. Java™ SE Development Kit 1.6.0u105 and 1.7.0u91 added support for DHKeyPair generation for key sizes up to 2048 bits. Java 7 initial release allows the DH key size to be between 512 and 1024 bits as listed on JSSE: Features and Benefits and it is not configurable. Java 8 discusses jdk.tls.ephemeralDHKeySize is allowed to be between 1024 and 2048 (from JSSE: Customizing Size of Ephemeral Diffie-Hellman Keys). Puppet 2.x changes are out of question, so the Java 7 and Java 8 compatibility for non-Oracle customers is not a concern. Puppet 5.x supports Java 8, and Java 8 lists the system property as allowing 2048 bits. It is reasonable to expect Java 11 to support the property similarly, and the latest Puppet releases target Java 8 and 11, so it should be fine. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Josh Cooper commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Valters Jansons that seems doable, though I don't know if there are reasons why we're intentionally not doing that, perhaps due to incompatibility with older java versions (just a guess). Thoughts Justin Stoller? Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.139087.1612993500046%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Valters Jansons commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Is there a reason as to why the packaged /etc/default/puppetserver for Open-Source Puppet Server (as of 7.0.3) does not include -Djdk.tls.ephemeralDHKeySize=2048? Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.138683.1612981440072%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Josh Cooper commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Thanks Charlie Sharpsteen! I think the question of "how to change DH keys for opensource" is an exercise left to the reader. There's some documentation here for jdk8: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys With that I'm going to close this ticket. Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.127030.1611797040026%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Charlie Sharpsteen commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Ah, I see the PE version is 2019.2.1. PE-27944 bumped the Diffie-Hellman key size to 2048, released in PE 2019.4.0. So, it seems this issue should already be fixed in PE. Open Source may be a different question as PE implemented the fix by adding -Djdk.tls.ephemeralDHKeySize=2048 to the JAVA_ARGS managed by PE. But, maybe there is a default value used by the JVM that should be addressed by platform Java providers? Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.126993.1611794160034%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Josh Cooper commented on PUP-10212 Re: SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Googling shows this error means the server is presenting a weak diffie hellman key, e.g. https://imlc.me/dh-key-too-small. I assume dhparams.pem need to be regenerated on the server host. Charlie Sharpsteen does this sound familiar? Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.126299.1611771900219%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Josh Cooper updated an issue Puppet / PUP-10212 SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Change By: Josh Cooper Method Found: Needs Assessment Issue Type: Sub-task Bug Parent: PUP-8550 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.15456.1578435600608%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Robert August Vincent II updated an issue Puppet / PUP-10212 SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Change By: Robert August Vincent II Method Found: Needs Assessment Issue Type: Bug Sub-task Parent: PUP-8550 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.336537.1574710008000.10227.1577803440320%40Atlassian.JIRA.
Jira (PUP-10212) SSL negotiation fails with "tls_process_ske_dhe:dh key too small"
Title: Message Title Robert August Vincent II moved an issue Puppet / PUP-10212 SSL negotiation fails with "tls_process_ske_dhe:dh key too small" Change By: Robert August Vincent II Component/s: PuppetDB Component/s: Puppet Server Component/s: Networking Key: ENTERPRISE PUP - 1301 10212 Project: Puppet Enterprise Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this
