Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-133

Restore comma-delimited string for ssl-protocols and cipher-suites in tk-jetty9



    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: TK-JETTY9 1.2.0
    • Component/s: None
    • Labels:
    • Template:
    • Sub-team:
    • Story Points:
    • Sprint:
      Server Emerald 2015-03-04, Server Emerald 2015-03-18, Server Emerald 2015-04-01


      In the 0.5.2 release of tk-jetty9, validation of the configuration was moved to Prismatic schema. During this process, support for specifying the values for the ssl-protocols and cipher-suites webserver settings as a comma-delimited string was lost. Note from these links – https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#cipher-suites and https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#ssl-protocols – that support for delimiting the values with commas is still implied to be supported. The only way to specify these values in 0.5.2 later is via a configuration format like HOCON which allows for the value to be expressed within an array.

      See this commit from the Prismatic schema PR for what this looked like prior to the change:


      Because of this change, it is no longer possible to specify ssl-protocols or cipher-suites via the INI configuration file format. Latest PuppetDB packaging still supports specification of its configuration via INI files. PuppetDB's master branch has been updated to depend upon a tk-jetty9 version later than 0.5.2 and, therefore, no longer supports user specification of the ssl-protocols and cipher-suite settings. Fortunately, the latest PuppetDB release, 2.2.2, is referencing a pre-0.5.2 release of tk-jetty9 and, therefore, is not susceptible to this problem.

      Until such time as support for INI configuration of tk-jetty9 settings can go away completely, we should look to restore the ability for tk-jetty9 to handle specification of the ssl-protocols and cipher-suites values as comma-delimited strings. PuppetDB would then need to be updated to reference a newer tk-jetty9 which would have this change.

      Risk assessment: Medium (manual validation needed)
      Probability: Medium (impacts users needing to specify cipher-suite)
      Severity: Medium (work around available)


          Issue Links



              erik Erik Dasher
              jeremy.barlow Jeremy Barlow
              QA Contact:
              Erik Dasher
              0 Vote for this issue
              4 Start watching this issue



                  Zendesk Support