We needed to upgrade Jetty but they changed their defaults and started warning about weak ciphers. To avoid breaking folks we added back the ciphers that had been allowed at the start of the 6.x series but that causes a lot of warnings. If you don't have connections that rely on the older ciphers you can remove the weak ciphers from puppetserver's conf.d/webservers.conf and the warnings should go away. Let me know if the release notes for 6.5 don't make sense.
On Tue, Nov 10, 2020 at 12:02 AM Dan Mahoney <gushimailt...@gmail.com> wrote: > To be clear, here's the full list of what's warned about (each of these > gets logged six times in succession, which I've deduplicated for brevity > *except for the last one* so you can see that there are different addresses > being listed). > > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for > InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for > InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for > InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for > InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@3900153c > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@4f27d2a8 > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@5a789c49 > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@6593530a > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@71baa8f5 > [provider=null,keyStore=null,trustStore=null] > WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite > TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for > InternalSslContextFactory@7beb914b > [provider=null,keyStore=null,trustStore=null] > > On Monday, November 9, 2020 at 11:58:30 PM UTC-8 Dan Mahoney wrote: > >> All, >> >> This is probably nothing but I've searched the mailing lists and can't >> find anything useful about this. We're running our puppetmaster under >> FreeBSD at the day job (puppet 6.18), and we see errors like this on >> puppetserver startup in the logs: >> >> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for >> InternalSslContextFactory@7beb914b >> [provider=null,keyStore=null,trustStore=null] >> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for >> InternalSslContextFactory@3900153c >> [provider=null,keyStore=null,trustStore=null] >> >> All in all, each warning is repeated several different times, and there's >> probably seven or eight different ciphers. >> >> Java logging is...a mess, honestly, and it's pretty difficult to separate >> signal from noise when you're trying to debug something. >> >> That said, I see release notes that something changed about weak ciphers >> in 6.5, but we're not there yet. >> >> Is this something I should worry about, or just ignore? >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/b5ec5090-810b-4bbc-80b4-cab024b20722n%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/b5ec5090-810b-4bbc-80b4-cab024b20722n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXhdG9maUifxv_634zqXc%3D%2BJMbUkEX4SVtvJYsVp%3DV53A%40mail.gmail.com.
