Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(PE-36348) Enable legacy openssl algos in PE Installer runtime to support Bolt's WinRM transport #699

Merged
merged 4 commits into from
Jul 17, 2023
Merged

(PE-36348) Enable legacy openssl algos in PE Installer runtime to support Bolt's WinRM transport #699

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
039c2ed
(PE-36348) Set use_legacy_openssl_algos in pe-installer-runtime-main …
justinstoller Jul 11, 2023
b85bf0f
(PE-36348) Honor use_legacy_openssl_algos in openssl 3 configure flags
justinstoller Jul 11, 2023
c7ddc67
(PE-36348) Activate legacy section in openssl.cnf if needed
justinstoller Jul 12, 2023
d993409
Revert "(PE-36078) Use fork of ntlm with md4 ruby algo"
justinstoller Jul 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions configs/components/openssl-3.0.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,13 +128,18 @@
# 'no-bf', pgcrypto is requires this cipher in postgres for puppetdb
# 'no-cast', pgcrypto is requires this cipher in postgres for puppetdb
'no-rc5',
# 'no-md4', puppet infra uses the agent's runtime and runs WinRM tasks using NTLM, so it needs DES & MD4
'no-mdc2',
# 'no-rmd160', this is causing failures with pxp, remove once pxp-agent does not need it
'no-whirlpool',
'no-legacy'
'no-whirlpool'
]

if settings[:use_legacy_openssl_algos]
pkg.apply_patch 'resources/patches/openssl/openssl-3-activate-legacy-algos.patch'
else
configure_flags << 'no-legacy' << 'no-md4' << 'no-des'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ticket (https://tickets.puppetlabs.com/browse/PE-36078) enumerates the changes need, and it says "no-des" should be included when legacy algos are not enabled, but.... it wasn't included before.

I added it thinking it might have been an oversight in the original Puppet 8 work, but would love to know if this is overkill and/or actively not wanted in the puppet-runtime. /cc @joshcooper

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It like you read my mind 😁 We had plans on adding no-des in https://tickets.puppetlabs.com/browse/PA-5587, but put it on hold when PE started failing due to no-md4. But now that you've detangled that, I'm 👍 to this PR

end


# Individual projects may provide their own openssl configure flags:
project_flags = settings[:openssl_extra_configure_flags] || []
perl_exec = ''
Expand Down
11 changes: 4 additions & 7 deletions configs/projects/pe-installer-runtime-main.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@
proj.setting(:runtime_project, 'pe-installer')
proj.setting(:ruby_version, '3.2.2')
proj.setting(:augeas_version, '1.13.0')
# We need to explicitly define 1.1.1k here to avoid
# build dep conflicts between openssl-1.1.1 needed by curl
# and krb5-devel
proj.setting(:openssl_version, '3.0')
# NLTM uses MD4 unconditionally in its protocol, so legacy algos must be
# enabled in OpenSSL >= 3.0 for Bolt's WinRM transport to work.
# We DO NOT WANT legacy algos enabled for the Puppet Agent runtime.
proj.setting(:use_legacy_openssl_algos, true)
platform = proj.get_platform

proj.version_from_git
Expand Down Expand Up @@ -96,10 +97,6 @@
proj.component 'rubygem-prime'
proj.component 'rubygem-erubi'

#TODO: Once we solve PE-36078 stop using forked ntlm
proj.setting(:gem_build, "#{proj.host_gem} build")
proj.component('rubygem-rubyntlm-fork')

# What to include in package?
proj.directory proj.prefix

Expand Down
24 changes: 24 additions & 0 deletions resources/patches/openssl/openssl-3-activate-legacy-algos.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 12bc408..8ab8aa7 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -56,6 +56,7 @@ providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
+legacy = legacy_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
@@ -69,7 +70,10 @@ default = default_sect
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
-# activate = 1
+activate = 1
+
+[legacy_sect]
+activate = 1


####################################################################
Loading