Affects Version/s: None
Fix Version/s: TK-JETTY9 1.2.0
In the 0.5.2 release of tk-jetty9, validation of the configuration was moved to Prismatic schema. During this process, support for specifying the values for the ssl-protocols and cipher-suites webserver settings as a comma-delimited string was lost. Note from these links – https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#cipher-suites and https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#ssl-protocols – that support for delimiting the values with commas is still implied to be supported. The only way to specify these values in 0.5.2 later is via a configuration format like HOCON which allows for the value to be expressed within an array.
See this commit from the Prismatic schema PR for what this looked like prior to the change:
Because of this change, it is no longer possible to specify ssl-protocols or cipher-suites via the INI configuration file format. Latest PuppetDB packaging still supports specification of its configuration via INI files. PuppetDB's master branch has been updated to depend upon a tk-jetty9 version later than 0.5.2 and, therefore, no longer supports user specification of the ssl-protocols and cipher-suite settings. Fortunately, the latest PuppetDB release, 2.2.2, is referencing a pre-0.5.2 release of tk-jetty9 and, therefore, is not susceptible to this problem.
Until such time as support for INI configuration of tk-jetty9 settings can go away completely, we should look to restore the ability for tk-jetty9 to handle specification of the ssl-protocols and cipher-suites values as comma-delimited strings. PuppetDB would then need to be updated to reference a newer tk-jetty9 which would have this change.
Risk assessment: Medium (manual validation needed)
Probability: Medium (impacts users needing to specify cipher-suite)
Severity: Medium (work around available)