Skip to main content

Set SSL cipher suites in Puppet Enterprise

Patrick Grant
  • Updated

Due to regulatory compliance or other requirements, you might need to change the cipher suites that SSL-enabled Puppet Enterprise services use to communicate with other PE components.

Version and installation information

PE version: All supported versions

Solution

You can set SSL cipher suites for Puppet services or the console services using Hiera (preferred) or in the console.

Note: Settings in the console override settings in Hiera. Set the parameter in one or the other, but not both.

Warning: Please replace the cipher suites in the examples with your own cipher suites.

Set SSL ciphers for Puppet services

The puppet_enterprise::ssl_cipher_suites parameter sets SSL cipher suites for Puppet Server, PuppetDB, and orchestration services.

In Hiera

On the primary server (called the master in older versions of PE), set cipher suites in your common.yaml using an array. For example:

puppet_enterprise::ssl_cipher_suites:
- 'SSL_RSA_WITH_NULL_MD5'
- 'SSL_RSA_WITH_NULL_SHA'
- 'TLS_DH_anon_WITH_AES_128_CBC_SHA'
- 'TLS_DH_anon_WITH_AES_128_CBC_SHA256'

In the console

Navigate to the PE Infrastructure group. In the puppet_enterprise class, set the ssl_cipher_suites parameter.

["SSL_RSA_WITH_NULL_MD5", 
"SSL_RSA_WITH_NULL_SHA", 
"TLS_DH_anon_WITH_AES_128_CBC_SHA", 
"TLS_DH_anon_WITH_AES_128_CBC_SHA256"]

Set SSL ciphers for console services

The puppet_enterprise::profile::console::proxy::ssl_ciphers parameter sets cipher suites for console services affecting traffic on port 443.

In Hiera

On the primary server, set RFC format cipher suites in your common.yaml using an array. For example:

puppet_enterprise::profile::console::proxy::ssl_ciphers: 
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA"

In the console

Click the PE Console node group. In the Configuration data tab, specify the puppet_enterprise::profile::console::proxy class and the ssl_ciphers parameter, and add the following to the data section::

["ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"DHE-RSA-AES128-GCM-SHA256",
"DHE-DSS-AES128-GCM-SHA256",
"kEDH+AESGCM",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES128-SHA"]

Additional Resources

Verify SSL protocols and cipher suites in use on Puppet Enterprise nodes

Did this solve your problem?
4 out of 9 found this helpful

How can we improve this article?

3 comments

Date Votes
  • Benjamin Fischer

    The "Set SSL ciphers for Puppet services" unfortuantly does not tell which format is used for the cipher suites. On top of that it does not lsit the avaialble cipher suites that I can put in the list. How am I supposed to know what I can put in there?

    0
  • Suzanne Baunsgard

    Hi Benjamin, I've passed your question on to the team. If it's urgent, please don't hesitate to open a ticket. 

    0
  • Patrick Grant

    Hi Benjamin,

    More info on this can be found here where it specifies the formats used: https://puppet.com/docs/pe/2019.8/configuring_security_settings.html#configuring_cipher_suites

    As well as the compatible ciphers for PE: https://puppet.com/docs/pe/2019.8/pe_architecture_overview.html#ciphers_reference

    If you have any further questions, please don't hesitate to raise a support ticket

    Thank you,

    Patrick

    0

Please sign in to leave a comment.

Related articles