Ask Your Question
0

Require TLS 1.2 ?

asked 2018-06-06 07:58:45 -0500

erichymowitz gravatar image

Is there a way to configure the Puppet master to only accept TLS 1.2 and/or to use ECDHE ? I am under a mandate to prevent any services from offering to accept TLS1.0 or TLS1.1 or DHE key exchange.

We are using Puppet 3.8.7 (please don't ask me to update; I can't) and ruby 1.8.7 (please don't ask me to update; I can't), and it seems that the easiest solution would be to configure the master to only accept TLS 1.2 rather than adjusting all of the individual agent machines.

Is this possible? If not, is there an easy-to-administer proxy that is suggested/recommended?

Thanks.

edit retag flag offensive close merge delete

Comments

Is this Puppet Enterprise 3.8.7? Or an open source install? If open source, which version of Puppet Server?

csharpsteen gravatar imagecsharpsteen ( 2018-06-06 10:05:55 -0500 )edit

This is open source. Both the agents and the master/server are version 3.8.7 .

erichymowitz gravatar imageerichymowitz ( 2018-06-06 11:17:47 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-06-06 15:29:57 -0500

csharpsteen gravatar image

The list of TLS protocol versions that Puppet Server will accept is part of the webserver configuration. This is done via the webserver.conf file (Docs for 5.3, but should still apply to 1.1):

https://puppet.com/docs/puppetserver/...

And the setting to use is ssl-protocols:

ssl-protocols: ["TLSv1.2"]

https://github.com/puppetlabs/trapper...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-06-06 07:58:45 -0500

Seen: 329 times

Last updated: Jun 06