General discussion about Chef

[chef] Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?


Chronological Thread 
  • From: bln workplace < >
  • To:
  • Subject: [chef] Re: Re: Re: How could I configurate a trusted SSL certificate in chef 12?
  • Date: Wed, 10 Jun 2015 16:52:36 +0200
Thanks for your answers.

As far I can see the problem is the server ciphers to 1024 bits by default. When I put  nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem" in the /etc/opscode/chef-server.rb file this parameter doesn't apply when I run chef-server-ctl reconfigure, it's ignored. 

If I try to put this DH parameter in /var/opt/opscode/nginx/etc/chef_http_lb.conf file my server uses my new dhparams.pem to 2048 bits so I pass the vulnerability test but when I run chef-server-ctl reconfigure this parameter is gone.

So my provisional solution is to create a new file in /var/opt/opscode/nginx/etc/nginx.d/dhparams.conf for adding non default configuration to nginx and in this file I have put the path to my new Diffie-Hellman group: 
ssl_dhparam /etc/ssl/private/dhparams.pem;

I think this is a nasty solution by I don't know another better at the moment. Maybe this ssl_dhparam could be recognized by default or maybe I need to put this parameter in another side that I don't know or maybe is a bug...

2015-06-09 16:47 GMT+02:00 Brandon Raabe < " target="_blank"> >:
You can also find example configurations that should pass the SSL Labs test here:

https://cipherli.st

On Tue, Jun 9, 2015 at 5:57 AM Christine Draper < " target="_blank"> > wrote:
I suspect you need to remove the DSS ciphers too (and probably explicitly exclude them with !DSS). 

See e.g.


Regards,
Christine

On Mon, Jun 8, 2015 at 7:21 PM, bln workplace < " target="_blank"> > wrote:
Hi all,

I have the open source chef server 12 installed and I want to change the self signed SSL certificate for a trusted SSL certificate and at the same time pass the test here: https://www.ssllabs.com/ssltest/index.html

After the last Logjam vulnerability I've bought a Possitive SSL wildcard cert (I use *.mydomain.com in several servers with different subdomains) and I've put my .key file and .crt file in /etc/opscode/. In the /etc/opscode/chef-server.rb I've added:

nginx['ssl_certificate'] = "/etc/opscode/camydomain.com.crt"  => here, there is a concatenated file with my serverdomain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt, in this order.
nginx['ssl_certificate_key'] = "/etc/opscode/mydomain.com.key"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_dhparam'] = "/etc/ssl/private/dhparams.pem"

And I've created /etc/ssl/private/dhparams.pem with the command "openssl dhparam -out dhparams.pem 2048", following these instruccions: https://weakdh.org/sysadmin.html

Finally I run: chef-server-ctl reconfigure and I can see how it has been added in /etc/opscode/.chef-server-running.json.

But if I check my site again I obtain a B rate with the following message: "This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B"


Someone knows what I am missing?


/opt/opscode/embedded/bin/openssl version
OpenSSL 1.0.1m 19 Mar 2015

Thanks in advance



Archive powered by MHonArc 2.6.16.

§