[PUP-4445]
Created: 2015/04/21 Updated: 2015/12/10
Status:
Project:
Needs Information
Puppet
Component/s: Client , Modules
Affects
Version/s:
PUP 4.0.0
Fix Version/s: None
Type: Improvement
Reporter:
Resolution:
Labels:
Louis Mayorga
Unresolved puppet, puppet-agent, ssl
Not Specified Remaining
Estimate:
Time Spent:
Original
Estimate:
Not Specified
Not Specified
Priority:
Votes:
Assignee:
Environment: Windows 2008R2
Windows 7
Attachments: Screen Shot 2015-04-21 at 11.57.06 AM.png
Issue Links: Relates
Normal
Louis Mayorga
0
Template: customfield_10700 true
Scrum Team: Client Platform
Eric Thompson QA Contact:
Comments
Comment by Josh Cooper
[ 2015/04/21 ]
I can confirm that our compiled ruby does not support TLSv1_2:
$ cmd /c irb.bat require 'openssl'
OpenSSL::SSL::SSLContext::METHODS
[:TLSv1, :TLSv1_server, :TLSv1_client, :SSLv2, :SSLv2_server, :SSLv2_client, :SSLv3,
:SSLv3_server, :SSLv3_client, :SSLv23, :SSLv23_server, :SSLv23_client]
I don't know if it's because of the way we're compiling openssl or ruby. /cc Melissa Stone
Comment by Louis Mayorga
[ 2015/04/21 ]
Not sure if this is related but on OSX I am using RVM and it looks that TLS 1.2 is included.
$ rvm use 2 .
1 .
5

Using /Users/<userxyz>/.rvm/gems/ruby2 .
1 .
5
$ ruby test.rb
TLSv1
TLSv1_server
TLSv1_client
TLSv1_2
TLSv1_2_server
TLSv1_2_client
TLSv1_1
TLSv1_1_server
TLSv1_1_client
SSLv2
SSLv2_server
SSLv2_client
SSLv3
SSLv3_server
SSLv3_client
SSLv23
SSLv23_server
SSLv23_client
Comment by Josh Cooper
[ 2015/04/21 ]
Louis Mayorga I should have looked more closely at your screen shot. The error you are seeing is almost certainly PUP-3450 . You need to either install the GeoTrust Global CA certificate, or run windows update and browse to the forge in IE, or other browser, which will auto install the cert for you. Please give that a try and close this ticket as a duplicate of PUP-3450 if it does.
Comment by Louis Mayorga
[ 2015/04/22 ]
The certificate is installed already and it works when I am not connected to my corporate network but it fails when i am connected to it.
So basically SSLv3 is blocked at the network level. But TLS1.2 is supported.
Comment by Melissa Stone
[ 2015/04/22 ]
Hmm, this would come into play when we're compiling openssl, but I can't seem to track down exactly where that happens in rubyinstaller. I'll keep looking around, but in the meantime, Matthaus Owens or Rob Braden might have more insight
Comment by Josh Cooper
[ 2015/04/22 ]
Louis Mayorga Puppet supports TLSv1.1 and 1.0, but not SSLv2 or SSLv3. If your corporate network was blocking TLSv1.0 or 1.1, then I would expect the initial ClientHello message sent by the client to the server to fail. However, the SSL handshake is proceeding far enough that the agent receives the server's Certificate message, and is unable to verify it.
I do agree that the windows agent should support TLSv1.2, but I'm not sure that that is the reason for the failure. Can you run wireshark on the windows agent and capture a network trace (restricting traffic to port 8140)?
Comment by Christian Becker
[ 2015/07/27 ]
Are there any news on this?
I can confirm the issue on CentOS 7 with puppet-agent-1.2.2-1.el7.x86_64
of the PC1 repository.

Master config: ssl_protocols TLSv1.2; ssl_ciphers
EECDH+AESGCM:EDH+AESGCM:EECDH:!EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; which is working fine for puppet 3, but breaking with the new agent package.
Comment by Josh Cooper
[ 2015/12/10 ]
We moved to openssl 1.0.2d in puppet-agent 1.2.4 (*nix) and puppet-agent 1.2.7 (windows). Can you confirm this issue is resolved and close if so?
Generated at Sat Mar 05 21:58:50 PST 2016 using JIRA 6.4.12#64027sha1:e3691cc1283c0f3cef6d65d3ea82d47743692b57.