Hi
for any one who follows on from this
-Djdk.tls.ephemeralDHKeySize=2048
needs to be added to the JDK - i moved to jdk 11, this seems to solve the
problem !
A
On Thursday, November 14, 2019 at 9:52:23 AM UTC+11, Keyzer Suze wrote:
>
> Hi
>
> I have a green field install of puppet - that bits okay - added in
> puppetdb - this where i have issues
>
> Installed - got r10k working got yaml working and some other things -
> packages
>
> then tried puppetdb, but it keeps failing on ssl test
>
> this is what i get from s_client
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 2505 bytes and written 337 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> B5EA0F1FBF08842917D3CC9340411B1482B2535D958FE72FDE0AE9E36E7C4F34
> Session-ID-ctx:
> Master-Key:
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1573602368
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: yes
>
>
> no ciphers !!!
>
>
> this is my setup
> # Configure puppetdb and its underlying database
> class { 'puppetdb':
> manage_package_repo => false,
> manage_dbserver => false,
> #ssl_protocols => 'TLSv1.1,TLSv1.2',
> ssl_protocols => 'TLSv1.2',
> listen_address => '0.0.0.0',
> manage_firewall => true,
> open_listen_port => true,
> open_ssl_listen_port => true,
>
> # disable_ssl => true,
>
> }
>
> # Configure the Puppet master to use puppetdb
> class { 'puppetdb::master::config':
> # puppetdb_disable_ssl => true,
> }
>
>
> this is the telling it I think
>
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
> 2019-11-13T10:47:18.216+11:00 WARN [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for
> InternalSslContextFactory@71c7554f[provider=null,keyStore=null,trustStore=null]
>
>
> and this is the jetty.ini
> cat /etc/puppetlabs/puppetdb/conf.d/jetty.ini
> [jetty]
> # IP address or hostname to listen for clear-text HTTP. To avoid resolution
> # issues, IP addresses are recommended over hostnames.
> # Default is `localhost`.
> # host = <host>
> host = 0.0.0.0
>
> # Port to listen on for clear-text HTTP.
> port = 8080
>
> # The following are SSL specific settings. They can be configured
> # automatically with the tool `puppetdb ssl-setup`, which is normally
> # ran during package installation.
>
> # IP address to listen on for HTTPS connections. Hostnames can also be used
> # but are not recommended to avoid DNS resolution issues. To listen on all
> # interfaces, use `0.0.0.0`.
> ssl-host = 0.0.0.0
>
> # The port to listen on for HTTPS connections
> ssl-port = 8081
>
> # Private key path
> ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
>
> # Public certificate path
> ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
>
> # Certificate authority path
> ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
>
> # Access logging configuration path. To turn off access logging
> # comment out the line with `access-log-config=...`
> access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
>
> cipher-suites =
> "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_DSS_WITH_AES_128_CBC_SHA256,TLS_DH_DSS_WITH_AES_128_GCM_SHA256,TLS_DH_DSS_WITH_AES_256_CBC_SHA256,TLS_DH_DSS_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_128_CBC_SHA256,TLS_DH_RSA_WITH_AES_128_GCM_SHA256,TLS_DH_RSA_WITH_AES_256_CBC_SHA256,TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
> ssl-protocols = TLSv1.2
>
>
> I'm guessing the ciphers are wrong or there is something wrong with the
> cipher setup ? Maybe It should be a ersa (the certs used for the eliptical
> ciphers). or maybe dh params are missing ? I'm not sure - i would have
> thought puppetdb would work out the box !
>
> also I am using
> java -version
> openjdk version "11.0.5" 2019-10-15 LTS
> OpenJDK Runtime Environment 18.9 (build 11.0.5+10-LTS)
> OpenJDK 64-Bit Server VM 18.9 (build 11.0.5+10-LTS, mixed mode, sharing)
>
> I have also tried jdk8 the one installed with puppetdb same thing
> I have tried removing cipher-suites option same issue
>
> very frustrating ...
>
>
> A
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/51fde14b-a514-4cb6-9be7-001fe677145a%40googlegroups.com.
