Due to regulatory compliance or other requirements, you might need to verify which SSL protocols and cipher suites SSL-enabled PE services use when communicating with other PE components. Verify which SSL protocols and cipher suites are supported by PE services by installing SSLyze and scanning a port on a node where a PE service is listening.
Once you've verified protocols and cipher suites, you can set SSL cipher suites for PE services.
Note: We cannot troubleshoot third-party software, if you need help with the SSLyze tool please refer to the maintainer’s GitHub page. Get a full list of SSLyze’s features and options by running sslyze -h.
Version and installation information
PE version: All
OS: Any Linux distribution or Windows
Note: The following instructions were tested on RHEL/CentOS 7 with SSLyze installed on the primary server node (called the master in older versions of PE). If SSLyze is installed on one node and scanning another node, you’ll need to modify the path you use to scan a port. To modify the instructions for other Linux distributions or Windows, refer to the maintainer’s GitHub page.
Solution
- Install the Python-based tool SSLyze
- Use SSLyze to verify SSL protocols and cipher suites for PE services
Install SSLyze
Before you install the SSLyze tool, you’ll need to install the python-dev tools package and pip package management system.
Note: Depending on your Linux distro, the package name for python-dev tools might be different.
The openssl, openssl-lib and openssl-devel packages are also required for the tool to build, but installing those is outside the scope of this article.
- Set up the EPEL repositories:
rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - Install the Python 3.6 development RPM:
yum install -y python36-devel - Get pip:
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" - Install pip:
python3 get-pip.py - Use pip to install SSLyze:
pip install sslyze
SSLyze is now installed and ready to use.
Verify SSL protocols and cipher suites
Run a regular SSLyze scan against a node and port where an SSL-enabled service is listening to verify the protocols and cipher suites in use by any SSL-enabled service on a puppet infrastructure node.
For example:
- Console services on port 443:
sslyze --regular localhost:443 - The PuppetDB API on port 8081:
sslyze --regular localhost:8081 - Puppet Server on port 8140:
sslyze --regular localhost:8140
Note: The following output is from a PE 2016.4.2 primary server. All protocols except TLSv1.2 are disabled. Note that all cipher suites for SSLv2, SSLv3, TLSv1, and TLSv1.1 are rejected. A number of different cipher suites are acceptable for TLSv1.2, but the preferred cipher suite is TLS_RSA_WITH_AES_256_CBC_SHA256.
[root@pe-201642-server vagrant]# sslyze --regular localhost:8140
AVAILABLE PLUGINS
-----------------
FallbackScsvPlugin
OpenSslCipherSuitesPlugin
HttpHeadersPlugin
SessionResumptionPlugin
CertificateInfoPlugin
OpenSslCcsInjectionPlugin
HeartbleedPlugin
CompressionPlugin
SessionRenegotiationPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
localhost:8140 => 127.0.0.1 WARNING: Server requested optional client authentication
SCAN RESULTS FOR LOCALHOST:8140 - 127.0.0.1:8140
------------------------------------------------
* TLSV1 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Server rejected all cipher suites.
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* Deflate Compression:
OK - Compression disabled
* Session Renegotiation:
Client-initiated Renegotiation: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* Session Resumption:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: NOT SUPPORTED - TLS ticket not assigned.
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* TLSV1_2 Cipher Suites:
Preferred:
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits
TLS_RSA_WITH_RC4_128_SHA - 128 bits
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* Certificate Basic Information:
SHA1 Fingerprint: 8af329ba2c0469acc91def2c6b22d1c7e27b7b0f
Common Name: pe-201642-server.puppetdebug.vlan
Issuer: Puppet Enterprise CA generated on pe-201642-server.puppetdebug.vlan at +2016-11-16 09:33:11 +0000
Serial Number: 02
Not Before: Nov 15 09:33:18 2016 GMT
Not After: Nov 15 09:33:18 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
Public Key Algorithm: rsaEncryption
Key Size: 4096
Exponent: 65537 (0x10001)
X509v3 Subject Alternative Name: {'DNS': ['pe-201642-server.puppetdebug.vlan', 'puppet']}
* Certificate - Trust:
Hostname Validation: FAILED - Certificate does NOT match localhost
Mozilla NSS CA Store (09/2016): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Microsoft CA Store (09/2016): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Java 7 CA Store (Update 79): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
AOSP CA Store (7.0.0 r1): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Apple CA Store (OS X 10.11.6): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Received Chain: pe-201642-server.puppetdebug.vlan
Verified Chain w/ Mozilla Store: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
* Certificate - OCSP Stapling:
NOT SUPPORTED - Server did not send back an OCSP response.
Unhandled exception while running --heartbleed:
timeout - timed out
SCAN COMPLETED IN 6.51 S
------------------------
How can we improve this article?
3 comments
This document mentions it applies to both Linux and Windows. Can you add instructions for verifying Windows?
Hi, that's a really good question.
I'm the technical writer for the team. I can't answer your question myself, but I'm going to have one of the team respond.
Bob,
The SSLyze docs cover Windows installation, which is simply to download the Windows release as a zip from the repo and extract it: https://nabla-c0d3.github.io/sslyze/documentation/installation.html#using-the-windows-executable
> A pre-compiled Windows executable is available in the Releases page of the GitHub project.
> This executable only gives access to the command line interface and does not allow using SSLyze’s Python API.
Since it's a standalone executable with no installer, and doesn't require any of the Python pre-requisites, you should be able to jump in directly to the "Verify SSL protocols and cipher suites" section of this article and run the command from wherever you extracted it.
```
PS C:\Users\GG\Downloads\sslyze-3.0.8-exe> .\sslyze.exe --regular puppetmaster.lan:443
CHECKING HOST(S) AVAILABILITY
-----------------------------
puppetmaster.lan:443 => 192.168.0.110
SCAN RESULTS FOR PUPPETMASTER.LAN:443 - 192.168.0.110
-----------------------------------------------
...
```
Please sign in to leave a comment.
Related articles