Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-133

Restore comma-delimited string for ssl-protocols and cipher-suites in tk-jetty9

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: TK-JETTY9 1.2.0
    • Component/s: None
    • Labels:
      None

      Description

      In the 0.5.2 release of tk-jetty9, validation of the configuration was moved to Prismatic schema. During this process, support for specifying the values for the ssl-protocols and cipher-suites webserver settings as a comma-delimited string was lost. Note from these links – https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#cipher-suites and https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#ssl-protocols – that support for delimiting the values with commas is still implied to be supported. The only way to specify these values in 0.5.2 later is via a configuration format like HOCON which allows for the value to be expressed within an array.

      See this commit from the Prismatic schema PR for what this looked like prior to the change:

      https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/pull/25/files#diff-1fc7ef9acd5fbc52947b0a4ba167e727L252

      Because of this change, it is no longer possible to specify ssl-protocols or cipher-suites via the INI configuration file format. Latest PuppetDB packaging still supports specification of its configuration via INI files. PuppetDB's master branch has been updated to depend upon a tk-jetty9 version later than 0.5.2 and, therefore, no longer supports user specification of the ssl-protocols and cipher-suite settings. Fortunately, the latest PuppetDB release, 2.2.2, is referencing a pre-0.5.2 release of tk-jetty9 and, therefore, is not susceptible to this problem.

      Until such time as support for INI configuration of tk-jetty9 settings can go away completely, we should look to restore the ability for tk-jetty9 to handle specification of the ssl-protocols and cipher-suites values as comma-delimited strings. PuppetDB would then need to be updated to reference a newer tk-jetty9 which would have this change.


      Risk assessment: Medium (manual validation needed)
      Probability: Medium (impacts users needing to specify cipher-suite)
      Severity: Medium (work around available)

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  erik Erik Dasher
                  Reporter:
                  jeremy.barlow Jeremy Barlow
                  QA Contact:
                  Erik Dasher
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: