Ask Your Question

Require TLS 1.2 ?

asked 2018-06-06 07:58:45 -0600

erichymowitz gravatar image

Is there a way to configure the Puppet master to only accept TLS 1.2 and/or to use ECDHE ? I am under a mandate to prevent any services from offering to accept TLS1.0 or TLS1.1 or DHE key exchange.

We are using Puppet 3.8.7 (please don't ask me to update; I can't) and ruby 1.8.7 (please don't ask me to update; I can't), and it seems that the easiest solution would be to configure the master to only accept TLS 1.2 rather than adjusting all of the individual agent machines.

Is this possible? If not, is there an easy-to-administer proxy that is suggested/recommended?


edit retag flag offensive close merge delete


Is this Puppet Enterprise 3.8.7? Or an open source install? If open source, which version of Puppet Server?

csharpsteen gravatar imagecsharpsteen ( 2018-06-06 10:05:55 -0600 )edit

This is open source. Both the agents and the master/server are version 3.8.7 .

erichymowitz gravatar imageerichymowitz ( 2018-06-06 11:17:47 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-06-06 15:29:57 -0600

csharpsteen gravatar image

The list of TLS protocol versions that Puppet Server will accept is part of the webserver configuration. This is done via the webserver.conf file (Docs for 5.3, but should still apply to 1.1):

And the setting to use is ssl-protocols:

ssl-protocols: ["TLSv1.2"]

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-06 07:58:45 -0600

Seen: 408 times

Last updated: Jun 06