On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang <doug.garst...@gmail.com> wrote: > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com> wrote: >> >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang >> <doug.garst...@gmail.com> wrote: >> > We're currently going through a PCI audit process, and an internal scan >> > by >> > an auditor of our network came up with the following advisory on port >> > 8139 >> > on all of our puppet servers. >> > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf >> > configuration files: >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM >> > Obviously, it's a canned response assuming that a web server is >> > listening on >> > that port. Is there any way to disable the 'weak and medium ciphers' on >> > the >> > default webrick server? >> >> We actually had a feature request in about this recently that >> shouldn't be too hard to find if you do a search. More people caring >> about this will lead us to prioritize it more, however... >> >> You really should move away from Webrick for production for several >> reasons, including this one. It's not suggested for production use. >> >> If you move to Mongrel or Passenger with Apache, our two most common >> deployment methods, you can fully specify the strong ciphers. >> >> > > Nigel, > Well, I can go back and give Passenger another shot, but I didn't pursue it > originally because I wasn't able to get the perfect combination of ruby, > rack etc etc to make it work. It involves a lot of magic voodoo. Passenger > is also installed from ruby gems which, as an ops person, makes my skin > crawl. > Also... I'm not sure if I understand this issue correctly, but the client > itself runs the WEBrick server, correct? What is this for? Is this to allow > puppetrun to be run from the server? If that's the case, I would also have > to move every client to Passenger or Mongrel was well. I'm not sure about > Mongrel, but that means a rather complicated update on the clients, given > passengers voodoo install magic.
That's actually a good point. Are you running the puppet agent in daemon mode or scheduled out of cron? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
