Affects Version/s: PUP 4.10.8
Fix Version/s: PUP 4.10.10
Template:PUP Bug Template customfield_10700 228387
Sprint:Platform Core KANBAN
Method Found:Needs Assessment
Release Notes:Bug Fix
Release Notes Summary:The webrick puppet master did not work when running ruby 2.3.6 or 2.4.3 (and later)
QA Risk Assessment:No Action
Puppet Version: 4.10.8
OS Name/Version: FreeBSD 11.1-RELEASE (Affects Linux as well), with OpenSSL 1.0.2k
When Launching the puppetmaster rc.d script on FreeBSD, which uses $Puppet_Location/puppet/network/http/webrick.rb, webrick fails to accept SSL/TLS connections, due to a change upstream in Ruby.
The issue occurs in webrick.rb, supplied by puppet.
Due to the changes in Ruby, this should read:
To reproduce, run a webrick puppetmaster with Ruby 2.3.6 or newer on any OS using OpenSSL.
Webrick puppetmaster does the needful
Webrick puppetmaster outputs the following to logs:
[2017-12-25 21:30:26] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client hello B: unexpected record
/usr/local/lib/ruby/site_ruby/2.3/puppet/network/http/webrick.rb:32:in `block (2 levels) in listen'
/usr/local/lib/ruby/2.3/webrick/server.rb:314:in `block in start_thread'
and the following on the client:
Error: /File[/var/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_read: decryption failed or bad record mac
I am aware webrick is being deprecated, however it is still in use currently.
I have filed a separate bug with FreeBSD to change the default puppet pkg to use sysutils/puppetserver from the ports system.