puppetlabs
Update EL8+ and Debian SSL defaults
It has been a long time since the defaults were updated. This results in a safer out-of-the-box deployment, matching what the vendors do.
For reference, EL7 has SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA and SSLProtocol all -SSLv2 -SSLv3. The 3DES looks to be a mistake and I'd expect them to have meant !3DES. I have not updated that default nor checked SLES.
apache::mod::ssl is a class
Breaking changes to this file WILL impact these 28 modules (exact match):
- stephenrjohnson-puppet
- stackforge-keystone
- spotify-talos
- katello-pulp
- openstack-openstacklib
- openstack-horizon
- geoffwilliams-r_profile
- zivtech-drupal_php
- shoekstra-owncloud
- osc-openondemand
- stackforge-ceilometer
- ploperations-puppet
- stackforge-horizon
- openstack-panko
- monkygames-landscape
- abstractit-icinga
- xdrum-puppet
- objectiflibre-puppet
- datacentred-nfsen
- Ginja-puppet_stack
- jgazeley-nagios
- kritz-vagrantlamp
- dmcnicks-sympa
- gene1wood-ipquery
- pieterdp-hx_apache
- monkygames-beansbooks
- treydock-xdmod
- tomkrieger-pxe_install
Breaking changes to this file MAY impact these 2 modules (near match):
apache::params is a class
Breaking changes to this file WILL impact these 7 modules (exact match):
Breaking changes to this file MAY impact these 4 modules (near match):
This module is declared in 174 of 579 indexed public Puppetfiles.
These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.
Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.
![puppet-community-rangefinder[bot] avatar](https://avatars.githubusercontent.com/in/22507?v=4 "Published by a pub.dev verified publisher"){kind=small}
Includes https://github.com/puppetlabs/puppetlabs-apache/pull/2335 since EL8+ sets SSLProxyCipherSuite by default.
@david22swan @chelnak it would help me a lot if this was reviewed and merged this week. Currently the tests are still running, hoping they'll pass but I'd appreciate if you take a look at the general design.
I do not know why mod_md has started to fail. I've also never used mod_md myself so not sure what's wrong. Sadly the error log is not very useful. I've pushed some changes that I hope will help.
I decided to dive into how one would do this properly in rspec. https://github.com/voxpupuli/beaker-rspec/pull/115 is the result. I'll have a stab at porting this to Litmus, which should be very straight forward. That should allow me to provide sufficient debug info.
Now we're getting somewhere:
AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/httpd/example.com_error_ssl.log for more information
So it fails with:
Wed Oct 26 10:48:29.313335 2022] [ssl:warn] [pid 13085] AH10085: Init: example.com:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Wed Oct 26 10:48:29.313646 2022] [ssl:emerg] [pid 13085] AH01898: Unable to configure permitted SSL ciphers
[Wed Oct 26 10:48:29.313661 2022] [ssl:emerg] [pid 13085] SSL Library Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
So it looks like mod_md and using PROFILE=system is incompatible.
I'm debating options now. One option is to modify the test to explicitly set a cipher list. I'll try to set up a testing system to verify.
So it looks like mod_md and using
PROFILE=systemis incompatible.
Turns out it was much simpler than I thought. It only showed up with mod_md since that's the only HTTPS vhost. That means the ciphers aren't evaluated elsewhere and our mod_ssl acceptance test happily accepts it since it's syntactically valid. It's actually PROFILE=SYSTEM, not PROFILE=system.
@david22swan @chelnak test failures are now provisioning errors: it never even got to running the test suite. Can this be merged?