On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > <doug.garst...@gmail.com> wrote: > > We're currently going through a PCI audit process, and an internal scan > by > > an auditor of our network came up with the following advisory on port > 8139 > > on all of our puppet servers. > > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf > > configuration files: > > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > > Obviously, it's a canned response assuming that a web server is listening > on > > that port. Is there any way to disable the 'weak and medium ciphers' on > the > > default webrick server? > > We actually had a feature request in about this recently that > shouldn't be too hard to find if you do a search. More people caring > about this will lead us to prioritize it more, however... > > You really should move away from Webrick for production for several > reasons, including this one. It's not suggested for production use. > > If you move to Mongrel or Passenger with Apache, our two most common > deployment methods, you can fully specify the strong ciphers. > > > Nigel, Well, I can go back and give Passenger another shot, but I didn't pursue it originally because I wasn't able to get the perfect combination of ruby, rack etc etc to make it work. It involves a lot of magic voodoo. Passenger is also installed from ruby gems which, as an ops person, makes my skin crawl. Also... I'm not sure if I understand this issue correctly, but the client itself runs the WEBrick server, correct? What is this for? Is this to allow puppetrun to be run from the server? If that's the case, I would also have to move every client to Passenger or Mongrel was well. I'm not sure about Mongrel, but that means a rather complicated update on the clients, given passengers voodoo install magic. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
