Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2576

Release and integrate tk-jetty9 3.0.0

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.5.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Server
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      We have upgraded to the latest release of Jetty's 9.4 series. In this update Jetty warns about several ciphers that previously defaulted to being enabled as being "weak".

      In our upstream projects we've defaulted to using only FIPS compliant cipher suites that are not considered weak. In Puppet Server 7, these we be the default. However to maintain backwards compatibility we've explicitly enabled all of the cipher suites that were available starting in Puppet Server 6.0. This however impacts users upgrading to Puppet Server 6.5.0 in two ways. 1) there will be updates coming from the package to the `webserver.conf` file in Puppet Server's conf.d directory, 2) when Puppet Server starts or reloads Jetty will warn about weak cipher suites being enabled.

      Again, these weak ciphers are the same ciphers that were enabled by default in the previous version of Puppet Server, and we've only enabled them to aid in the upgrade process. We strongly encourage all users to upgrade and then remove the cipher-suite configuration section from the webserver.conf, which will then use only the strong FIPS compliant cipher suites*.

      Additionally, Jetty removed the upstream complement to our so-linger-seconds configuration setting. The setting will be ignored and a warning will be issued if it is set. See https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/3.0.1/doc/jetty-config.md#so-linger-seconds for more information.

      *On some older Operating Systems you may see additional warning that newer cipher suites are unavailable, in this case you should manage the contents of the webserver.cipher-suites configuration value to be those strong suites that available to you.
      Show
      We have upgraded to the latest release of Jetty's 9.4 series. In this update Jetty warns about several ciphers that previously defaulted to being enabled as being "weak". In our upstream projects we've defaulted to using only FIPS compliant cipher suites that are not considered weak. In Puppet Server 7, these we be the default. However to maintain backwards compatibility we've explicitly enabled all of the cipher suites that were available starting in Puppet Server 6.0. This however impacts users upgrading to Puppet Server 6.5.0 in two ways. 1) there will be updates coming from the package to the `webserver.conf` file in Puppet Server's conf.d directory, 2) when Puppet Server starts or reloads Jetty will warn about weak cipher suites being enabled. Again, these weak ciphers are the same ciphers that were enabled by default in the previous version of Puppet Server, and we've only enabled them to aid in the upgrade process. We strongly encourage all users to upgrade and then remove the cipher-suite configuration section from the webserver.conf, which will then use only the strong FIPS compliant cipher suites*. Additionally, Jetty removed the upstream complement to our so-linger-seconds configuration setting. The setting will be ignored and a warning will be issued if it is set. See https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/3.0.1/doc/jetty-config.md#so-linger-seconds for more information. *On some older Operating Systems you may see additional warning that newer cipher suites are unavailable, in this case you should manage the contents of the webserver.cipher-suites configuration value to be those strong suites that available to you.
    • QA Risk Assessment:
      Needs Assessment

      Description

      We bumped the jetty version in tk-jetty9, and it broke some APIs that are used by puppetserver. We need to release tk-jetty9 and then do the work to update the way we're interacting with it in puppetserver.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  maggie Maggie Dreyer
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support