Puppet HTTPS connection using latest TLS version and cipher suites

asked 2018-02-06 07:20:43 -0500

Hi,

I'm use puppet (Version 4.8.2, but I have tested using V5) to communicate with an HTTPS server for file downloads/http_hiera lookups etc.

We're using an Amazon Elastic Load Balancer to handle our HTTPS traffic and have recently attempted to upgrade to TLS 1.2. Amazon provide pre-configured security policies for their load balancers, which enable/disable TLS versions and cipher suites:

https://docs.aws.amazon.com/elasticlo...

When I'm using policy TLS-1-1-2017-01, everything works fine, but when I use the very latest (TLS-1-2-2017-01), I receive the following error:

Puppet Evaluation Error: Error while evaluating a Function Call, Received fatal alert: handshake_failure

I've experimented with customising the security policy, and the only way to get puppet to successfully connect is to enable the AES256-SHA cipher - which I believe is insecure?

Is there a way to configure puppet so that it works with Amazon's latest security policy?

Thanks,

Dan

edit retag flag offensive close merge delete