HomePhorge
Diffusion puppet 885838a0c170

(PUP-3467) Reject SSLv3 when initiating SSL connections
885838a0c170Unpublished
Actions

Unpublished Commit ยท Learn More

Repository Importing: This repository is still importing.

Description

(PUP-3467) Reject SSLv3 when initiating SSL connections

Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.

This commit ensures puppet will not downgrade to SSLv3 by setting the
OpenSSL::SSL::OP_NO_SSLv3 bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".

[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html

Details

Provenance
Josh Cooper <josh@puppetlabs.com>Authored on
vanmeeuwenPushed on Jun 2 2015, 2:22 PM
Parents
rPU67b89bdda951: (PUP-3467) Update webrick ciphersuites to match passenger
Branches
Unknown
Tags
Unknown

Event Timeline

Josh Cooper <josh@puppetlabs.com> committed rPU885838a0c170: (PUP-3467) Reject SSLv3 when initiating SSL connections (authored by Josh Cooper <josh@puppetlabs.com>).Oct 21 2014, 2:01 AM

Changes (2)

PathSize
lib/
puppet/
util/
spec/
unit/
util/

rPU885838a0c170

View Options

lib/puppet/util/monkey_patches.rb

Loading...
View Options

spec/unit/util/monkey_patches_spec.rb

Loading...