On Dec 23, 2010, at 10:48 AM, Douglas Garstang wrote: > On Wed, Dec 22, 2010 at 8:33 PM, Nigel Kersten <ni...@puppetlabs.com> wrote: > On Wed, Dec 22, 2010 at 4:24 PM, Douglas Garstang > <doug.garst...@gmail.com> wrote: > > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com> wrote: > >> > >> On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > >> <doug.garst...@gmail.com> wrote: > >> > We're currently going through a PCI audit process, and an internal scan > >> > by > >> > an auditor of our network came up with the following advisory on port > >> > 8139 > >> > on all of our puppet servers. > >> > Resolution: Disable weak and medium ciphers in the http.conf or ssl.conf > >> > configuration files: > >> > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > >> > Obviously, it's a canned response assuming that a web server is > >> > listening on > >> > that port. Is there any way to disable the 'weak and medium ciphers' on > >> > the > >> > default webrick server? > >> > >> We actually had a feature request in about this recently that > >> shouldn't be too hard to find if you do a search. More people caring > >> about this will lead us to prioritize it more, however... > >> > >> You really should move away from Webrick for production for several > >> reasons, including this one. It's not suggested for production use. > >> > >> If you move to Mongrel or Passenger with Apache, our two most common > >> deployment methods, you can fully specify the strong ciphers. > >> > >> > > > > Nigel, > > Well, I can go back and give Passenger another shot, but I didn't pursue it > > originally because I wasn't able to get the perfect combination of ruby, > > rack etc etc to make it work. It involves a lot of magic voodoo. Passenger > > is also installed from ruby gems which, as an ops person, makes my skin > > crawl. > > Also... I'm not sure if I understand this issue correctly, but the client > > itself runs the WEBrick server, correct? What is this for? Is this to allow > > puppetrun to be run from the server? If that's the case, I would also have > > to move every client to Passenger or Mongrel was well. I'm not sure about > > Mongrel, but that means a rather complicated update on the clients, given > > passengers voodoo install magic. > > That's actually a good point. > > Are you running the puppet agent in daemon mode or scheduled out of cron? > > > I'm running the puppet agent as a daemon. > > But... I'm still not quite following what has to happen on the clients. Are > we saying that I have to replace the webrick server on the clients with > Passenger? That's a pretty heavy handed approach. This means that all the > clients have to be running Apache.....
My understanding is that the client doesn't even use Webrick unless you use "listen=true". -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
