-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(PE-36348) Enable legacy openssl algos in PE Installer runtime to support Bolt's WinRM transport #699
Conversation
if settings[:use_legacy_openssl_algos] | ||
pkg.apply_patch 'resources/patches/openssl/openssl-3-activate-legacy-algos.patch' | ||
else | ||
configure_flags << 'no-legacy' << 'no-md4' << 'no-des' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This ticket (https://tickets.puppetlabs.com/browse/PE-36078) enumerates the changes need, and it says "no-des" should be included when legacy algos are not enabled, but.... it wasn't included before.
I added it thinking it might have been an oversight in the original Puppet 8 work, but would love to know if this is overkill and/or actively not wanted in the puppet-runtime. /cc @joshcooper
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It like you read my mind 😁 We had plans on adding no-des
in https://tickets.puppetlabs.com/browse/PA-5587, but put it on hold when PE started failing due to no-md4
. But now that you've detangled that, I'm 👍 to this PR
Note: there's a |
this builds without error and the resulting tarball has the openssl.cnf changes specified in the ticket:
Still figuring out how to work that into a PE build. |
Using a pe-installer built with this runtime on Redhat 8 and a Windows 2022 agent I think I've verified this works as intended:
|
Weeelllll, I guess that all might be because I'm still shipping the forked gem that vendors the a ruby implementation of md4. I'll put up a PR with that pulled out and then redo this testing. |
Okay the newest package installs what I believe is the proper rubyntlm gem, one that does not have the md4.rb file in it:
And can execute the
(One caveat being I could not get it to pass in the list of agents I wanted to so I manually edited the I'll set the lifetime of these nodes through next Monday so others can inspect the boxes if they want. (console login is admin:password) |
…to support Bolt/WinRM
This reverts commit 0ebee8c.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great! I'm not sure about the des
algorithm. I thought it was one of the algos in question to be able to continue to support building or running postrgres. But i cant seem to find that info. We will see what Josh has to say on that but I dont think we need to block on that. I'm going to go ahead and get this merged so we can get tests/promotions going.
Not sure if you've seen this, but Gabi wrote a handy tool to check what projects and/or platforms will be affected. For this PR, I see the following project changes, which I think is ok/expected, but wanted to double check?
Here is what your code changes would affect:Project
|
Unfortunately seeing errors when building curl on most of the puppet8 agent runtimes:
Specifying |
Okay, I'll open a PR to fix. |
Should be fixed in #702 |
Implements the solution described in https://tickets.puppetlabs.com/browse/PE-36078
Still needs building & testing but putting this up so I can verify I understand the basics correctly.