Update EL8+ and Debian SSL defaults #2336
Conversation
apache::mod::ssl is a classBreaking changes to this file WILL impact these 28 modules (exact match):
Breaking changes to this file MAY impact these 2 modules (near match):apache::params is a classBreaking changes to this file WILL impact these 7 modules (exact match):Breaking changes to this file MAY impact these 4 modules (near match):This module is declared in 174 of 579 indexed public
|
|
Looks like I'll need to update the tests to match the expected values. |
ekohl
force-pushed
the
update-ssl-defaults
branch
from
3245abf to
47614f4
Compare
|
Includes #2335 since EL8+ sets |
ekohl
force-pushed
the
update-ssl-defaults
branch
from
47614f4 to
0c9591e
Compare
|
@david22swan @chelnak it would help me a lot if this was reviewed and merged this week. Currently the tests are still running, hoping they'll pass but I'd appreciate if you take a look at the general design. |
ekohl
force-pushed
the
update-ssl-defaults
branch
from
0c9591e to
681665f
Compare
|
I do not know why mod_md has started to fail. I've also never used mod_md myself so not sure what's wrong. Sadly the error log is not very useful. I've pushed some changes that I hope will help. |
On EL8+ the default ssl.conf file doesn't specify SSLProtocol at all, which implies using the system profile where it can be changed. This changes the template to deal with ssl_protocol set to an empty array, which was previously generating invalid syntax anyway.
ekohl
force-pushed
the
update-ssl-defaults
branch
from
681665f to
298b0ba
Compare
|
I decided to dive into how one would do this properly in rspec. voxpupuli/beaker-rspec#115 is the result. I'll have a stab at porting this to Litmus, which should be very straight forward. That should allow me to provide sufficient debug info. |
|
Now we're getting somewhere:
|
ekohl
force-pushed
the
update-ssl-defaults
branch
3 times, most recently
from
02e9f37 to
1206141
Compare
|
So it fails with: So it looks like mod_md and using I'm debating options now. One option is to modify the test to explicitly set a cipher list. I'll try to set up a testing system to verify. |
On EL8+ OpenSSL is patched to support a unified crypto policy. This is also the default when installing mod_ssl. Users of RHEL Insights will also receive warnings when the defaults differ.
ekohl
force-pushed
the
update-ssl-defaults
branch
from
1206141 to
3cb3266
Compare
Turns out it was much simpler than I thought. It only showed up with |
|
@david22swan @chelnak test failures are now provisioning errors: it never even got to running the test suite. Can this be merged? |
Debian 10 and Ubuntu 18.04 (oldest of supported Debian-based distros) default to these values. This gives a safer out-of-the-box experience.
ekohl
force-pushed
the
update-ssl-defaults
branch
from
3cb3266 to
67a8a17
Compare
|
No change, just forcing a new CI run. |
…bs/puppetlabs-apache#2336 Signed-off-by: Damien Duportal <[email protected]>
…bs/puppetlabs-apache#2336 Signed-off-by: Damien Duportal <[email protected]>
* chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore: Updated the content of the file "/tmp/updatecli/github/jenkins... ... -infra/jenkins-infra/Puppetfile" Made with ❤️️ by updatecli * chore(Jenkinsfile) no need to fail fast the unit tests Signed-off-by: Damien Duportal <[email protected]> * chore(tests) map to the new SSL default config introduced in puppetlabs/puppetlabs-apache#2336 Signed-off-by: Damien Duportal <[email protected]> * fix(jenkinscontroller) correct apache::vhost::override types Signed-off-by: Damien Duportal <[email protected]> * fix(pkgrepo,usage) correct apache::vhost::options types Signed-off-by: Damien Duportal <[email protected]> * cleanup(edamame) remove apache-related setup Signed-off-by: Damien Duportal <[email protected]> * fix(census,usage) correct apache::vhost::port types Signed-off-by: Damien Duportal <[email protected]> --------- Signed-off-by: Damien Duportal <[email protected]> Co-authored-by: GitHub Actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Damien Duportal <[email protected]>
It has been a long time since the defaults were updated. This results in a safer out-of-the-box deployment, matching what the vendors do.
For reference, EL7 has
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEAandSSLProtocol all -SSLv2 -SSLv3. The 3DES looks to be a mistake and I'd expect them to have meant!3DES. I have not updated that default nor checked SLES.