Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-1059

Disable weak ciphers in openssl at compile time

    Details

    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: puppet-agent 5.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Security
    • Story Points:
      2
    • Sprint:
      Perf&Sec 2017-03-22, Perf&Sec 2017-04-05, Perf&Sec 2017-04-19, Perf&Sec 2017-05-03, Perf&Sec 2017-05-31
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      The following weak ciphers and unused features have been removed from the openssl package vendored in puppet-agent:

      Ciphers: AF_ALG, BF, CAST, CMAC, DES, GOST, IDEA, MD2, MD4, MDC2, RC2, RC4, RC5, RIPEMD-160, SEED, whirlpool

      Features: CMS (S/MIME), Compression, Certificate transparency, datagram support, datagram TLS (DTLS), DTLSv1/v1.2 + methods, dynamic engine, engine module support, heartbeat, stream control transport, secure remote password, secure realtime transport, SSLv2, SSLv3
      Show
      The following weak ciphers and unused features have been removed from the openssl package vendored in puppet-agent: Ciphers: AF_ALG, BF, CAST, CMAC, DES, GOST, IDEA, MD2, MD4, MDC2, RC2, RC4, RC5, RIPEMD-160, SEED, whirlpool Features: CMS (S/MIME), Compression, Certificate transparency, datagram support, datagram TLS (DTLS), DTLSv1/v1.2 + methods, dynamic engine, engine module support, heartbeat, stream control transport, secure remote password, secure realtime transport, SSLv2, SSLv3
    • QA Risk Assessment:
      Needs Assessment

      Description

      Agents and CLI tools link openssl library. Since there are no runtime configuration switches to control allowed ciphers and some potentially insecure features (below), it calls for disabling them at compile time to prevent accidental use.

      Ciphers: AF_ALG, BF, CAST, CMAC, DES, GOST, IDEA, MD2, MD4, MDC2, RC2, RC4, RC5, RIPEMD-160, SEED, whirlpool

      Features: CMS (S/MIME), Compression, Certificate transparency, datagram support, datagram TLS (DTLS), DTLSv1/v1.2 + methods, dynamic engine, engine module support, heartbeat, stream control transport, secure remote password, secure realtime transport, SSLv2, SSLv3

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jayant.sane Jayant Sane
                Reporter:
                jayant.sane Jayant Sane
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support