Impact of Puppet Forge security updates in response to Sweet32 attack
At Puppet, we take the security of our products seriously. We respond to security issues and concerns promptly, and when necessary, we release new versions of the product to address vulnerabilities or security issues. In response to the Sweet32 attacks on TLS, Puppet has recently updated the cipher suite on the Puppet Forge servers to the current configuration recommended by Mozilla.
There should be no impact for the vast majority of Puppet Enterprise and open source Puppet users and Puppet tools should automatically use other cipher suites. We have verified that Supported releases of Puppet Enterprise are unaffected by this change.
However, releases prior to Puppet Enterprise 2015.2.1 are bundled with a version of the OpenSSL library that is too old to support the updated cipher list. This results in negotiation errors when using Code Manager or r10k with modules served from the Forge, similar to the following.
ERROR -> SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure
Users of open source Puppet may experience similar errors with Puppet Agent older than 1.2.4.
Note that GitHub is also in the process of making the same changes and will no longer support these suites after 22 February 2018. Once those changes go into effect, using Code Manager or r10k with the
shellgit provider enabled may result in similar errors on some platforms when fetching modules from GitHub.
In the interim, you can avoid these errors by using a local repository to serve your modules.
Tom Kishel is a senior support engineer at Puppet.