I have a puppet server and i am trying to make port 8140 compliant for puppet 4.
When i run nmap -sV --script ssl-enum-ciphers -p 8140 <puppet-server> I get the following :
PORT STATE SERVICE VERSION
8140/tcp open ssl/http Jetty 9.2.z-SNAPSHOT
|_http-server-header: Jetty(9.2.z-SNAPSHOT)
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| Forward Secrecy not supported by any cipher
I have checked the entire /etc/puppetlabs directory and still not able to figure out where it is defined. Does anyone know where is it defined in puppet. Thank you.
How to make port 8140 TLS 1.2 compliant in puppet 4?
As nmap discovered for you, the Puppet server uses a bundled Jetty server to service requests at port 8140. Puppet 4 is so out of date that Puppet, Inc. no longer maintains documentation for it on their web site, but in Puppet 5 (earliest version for which docs are provided) you would configure the supported SSL protocols via the tls-protocols property, and maybe augment that by configuring the supported cipher suites via the cipher-suites property in the HOCON-formatted /etc/puppetlabs/puppetserver/conf.d/webserver.conf configuration file.
The referenced doc links to details of the supported properties and values here: https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/main/doc/jetty-config.md, which in turn links to JDK documentation for full details of the supported values. How much of that pertains to Puppet 4 is unclear to me. Presuming it is supported at all in that version, however, TLS 1.2 will be identified by the name TLSv1.2.