[TK-133] Restore comma-delimited string for ssl-protocols and cipher-suites in tk-jetty9 Created: 2015/01/09  Updated: 2015/03/25  Resolved: 2015/03/24

Status: Resolved
Project: Trapperkeeper
Component/s: None
Affects Version/s: None
Fix Version/s: TK-JETTY9 1.2.0

Type: Bug Priority: Normal
Reporter: Jeremy Barlow Assignee: Erik Dasher
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Blocks
blocks PDB-1247 Get the TK max-threads fixes on stable Closed
Template:
Epic Link: Green: Puppet Server 1.0.8 / PE 3.8
Sub-team: emerald
Story Points: 1
Sprint: Server Emerald 2015-03-04, Server Emerald 2015-03-18, Server Emerald 2015-04-01
QA Contact: Erik Dasher

 Description   

In the 0.5.2 release of tk-jetty9, validation of the configuration was moved to Prismatic schema. During this process, support for specifying the values for the ssl-protocols and cipher-suites webserver settings as a comma-delimited string was lost. Note from these links – https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#cipher-suites and https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#ssl-protocols – that support for delimiting the values with commas is still implied to be supported. The only way to specify these values in 0.5.2 later is via a configuration format like HOCON which allows for the value to be expressed within an array.

See this commit from the Prismatic schema PR for what this looked like prior to the change:

https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/pull/25/files#diff-1fc7ef9acd5fbc52947b0a4ba167e727L252

Because of this change, it is no longer possible to specify ssl-protocols or cipher-suites via the INI configuration file format. Latest PuppetDB packaging still supports specification of its configuration via INI files. PuppetDB's master branch has been updated to depend upon a tk-jetty9 version later than 0.5.2 and, therefore, no longer supports user specification of the ssl-protocols and cipher-suite settings. Fortunately, the latest PuppetDB release, 2.2.2, is referencing a pre-0.5.2 release of tk-jetty9 and, therefore, is not susceptible to this problem.

Until such time as support for INI configuration of tk-jetty9 settings can go away completely, we should look to restore the ability for tk-jetty9 to handle specification of the ssl-protocols and cipher-suites values as comma-delimited strings. PuppetDB would then need to be updated to reference a newer tk-jetty9 which would have this change.


Risk assessment: Medium (manual validation needed)
Probability: Medium (impacts users needing to specify cipher-suite)
Severity: Medium (work around available)



 Comments   
Comment by Jeremy Barlow [ 2015/01/09 ]

Ryan Senior, Joshua Partlow - fyi. Maybe a companion ticket should also be filed under PuppetDB to track this change?

Comment by Chris Price [ 2015/02/02 ]

Ken Barber Ryan Senior did you guys ever decide whether you were going to HOCON for 3.0?

Comment by Ryan Senior [ 2015/02/02 ]

Based on a March 11th delivery date and the console db rewrite requirements, definitely not. We've talked about it, but not gone beyond that.

Comment by Erik Dasher [ 2015/03/09 ]

The referenced PR was merged into master, therefore I'm moving this ticket into Green : Puppet 4.0 changes. Please let me know if this is incorrect.

Comment by Chris Price [ 2015/03/09 ]

It was merged into tk-j9 master branch, but there are no plans to include that version in Puppet Server 2.0.

Comment by Erik Dasher [ 2015/03/09 ]

I got the wrong repo. As Chris mentions above, there are no plans to include this in Puppet Server 2.0. This needs to be in the PE 3.8 / PuppetServer 1.1 epic.

Comment by Erik Dasher [ 2015/03/20 ]

Test by setting up a config file and make sure there are commas inbetween each value, and ensure that the puppetdb service comes up? I need to discuss with Russell Mull.

Comment by Erik Dasher [ 2015/03/24 ]

Using 3.8.0-rc0-311-gecd98f3 on RHEL7l, validated that pe-puppetdb can read a jetty.ini file from /etc/puppetlabs/puppetdb/conf.d that contains these entries:
cipher-suites = TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
ssl-protocols = TLSv1, TLSv1.1, TLSv1.2, SSLv3

Log output supplies:
2015-03-24 15:25:14,662 DEBUG [o.e.j.u.s.SslContextFactory] Enabled Protocols [SSLv3, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
2015-03-24 15:25:14,668 DEBUG [o.e.j.u.s.SslContextFactory] Enabled Ciphers [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256] of [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

Generated at Wed Oct 16 03:48:26 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.