ironfan 4.11.4 → 4.11.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. data/CHANGELOG.md +4 -1
  2. data/ELB.md +14 -4
  3. data/VERSION +1 -1
  4. data/ironfan.gemspec +2 -2
  5. data/lib/ironfan/dsl/ec2.rb +49 -11
  6. metadata +3 -3
data/CHANGELOG.md CHANGED
@@ -1,5 +1,8 @@
1
+ # v4.11.5
2
+ * Update ELB creation code to reflect new SSLNegotiationPolicyType behaviors (thanks @nickmarden)
3
+
1
4
  # v4.11.4
2
- * fix "undefined method" error when assigning elastic IPs (thanks, @andrewgoktepe)
5
+ * fix "undefined method" error when assigning elastic IPs (thanks @andrewgoktepe)
3
6
 
4
7
  # v4.11.3
5
8
  * Removing unnecessary check for groups (caused failures when in VPC)
data/ELB.md CHANGED
@@ -26,7 +26,14 @@
26
26
  map_port('HTTPS', 443, 'HTTP', 81, 'snake-oil')
27
27
 
28
28
  # Applies to all HTTPS/SSL listeners
29
- disallowed_ciphers(%w[ RC4-SHA ])
29
+ allowed_ciphers(%w[ Protocol-SSLv3 Protocol-TLSv1 RC4-MD5 RC4-SHA ])
30
+
31
+ # If AWS tries to add other ciphers automatically because "they know
32
+ # best", and you really don't want that cipher (e.g. the cipher is
33
+ # flagged as problematic by SSLLabs, nessus, etc.) you can explicitly
34
+ # disallow the cipher from your HTTPS/SSL listeners thusly.
35
+ disallowed_ciphers(%w[ AES128-SHA ])
36
+ # PROTIP: The disallowed_ciphers call is usually unnecessary
30
37
 
31
38
  # Health check that is made against ALL running instances
32
39
  health_check do
@@ -78,15 +85,18 @@ These `knife cluster` commands are not associated with updates of the Chef or IA
78
85
 
79
86
  ## SSL policy
80
87
 
81
- The SSL policy control in Ironfan is very rudimentary. You may control which ciphers are explicitly disallowed as follows
88
+ The SSL policy control in Ironfan is very rudimentary. You may control which ciphers are explicitly allowed or disallowed as follows
82
89
 
83
90
  elastic_load_balancer "sparky-elb" do
84
91
  ...
85
- disallowed_ciphers(%w[ RC4-SHA ])
92
+ allowed_ciphers(%w[ Protocol-SSLv3 Protocol-TLSv1 RC4-MD5 RC4-SHA ])
93
+ disallowed_ciphers(%w[ AES128-SHA ])
86
94
  ...
87
95
  end
88
96
 
89
- Note that the default behavior is to disallow ciphers that are hypothetically vulnerable to the [BEAST attack](http://vnhacker.blogspot.com/2011/09/beast.html). You probably don't want or need to change it.
97
+ Note that the default behavior is to allow a standard "safe" list of ciphers supported by most modern browsers, and to disallow ciphers that are hypothetically vulnerable to the [BEAST attack](http://vnhacker.blogspot.com/2011/09/beast.html) and RC4 attacks (http://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks). You probably don't want or need to change it.
98
+
99
+ NOTE: If you do call allowed_ciphers or disallowed_ciphers, you will be overriding the built-in defaults and will need to specify the complete list of allowed or disallowed ciphers instead of just the ones you want to add or remove from the list.
90
100
 
91
101
  ## How do port mappings work?
92
102
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 4.11.4
1
+ 4.11.5
data/ironfan.gemspec CHANGED
@@ -5,11 +5,11 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = "ironfan"
8
- s.version = "4.11.4"
8
+ s.version = "4.11.5"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Infochimps"]
12
- s.date = "2013-08-28"
12
+ s.date = "2013-09-24"
13
13
  s.description = "Ironfan allows you to orchestrate not just systems but clusters of machines. It includes a powerful layer on top of knife and a collection of cloud cookbooks."
14
14
  s.email = "coders@infochimps.com"
15
15
  s.extra_rdoc_files = [
data/lib/ironfan/dsl/ec2.rb CHANGED
@@ -182,8 +182,15 @@ module Ironfan
182
182
 
183
183
  end
184
184
 
185
- # SSL ciphers susceptible to the BEAST attack
186
- BEAST_VULNERABLE_CIPHERS = %w[
185
+ # AWS has wonky logic about which ciphers are included in a policy.
186
+ # Some ciphers need to be explicitly excluded or else they will be
187
+ # included, and vice versa. For completeness we protect ourselves
188
+ # from this behavior the best we can by having both an explicit
189
+ # include (allow) and exclude (disallow) list.
190
+
191
+ # Remove ciphers which are vulnerable to the BEAST attack.
192
+ # http://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
193
+ DISALLOWED_SSL_CIPHERS = %w[
187
194
  Protocol-SSLv2
188
195
  ADH-AES128-SHA
189
196
  ADH-AES256-SHA
@@ -193,12 +200,9 @@ module Ironfan
193
200
  ADH-DES-CBC3-SHA
194
201
  ADH-RC4-MD5
195
202
  ADH-SEED-SHA
196
- AES128-SHA
197
- AES256-SHA
198
203
  DES-CBC-MD5
199
204
  DES-CBC-SHA
200
205
  DES-CBC3-MD5
201
- DES-CBC3-SHA
202
206
  DHE-DSS-AES128-SHA
203
207
  DHE-DSS-AES256-SHA
204
208
  DHE-RSA-AES128-SHA
@@ -226,11 +230,45 @@ module Ironfan
226
230
  PSK-AES128-CBC-SHA
227
231
  PSK-AES256-CBC-SHA
228
232
  RC2-CBC-MD5
233
+ ] +
234
+ # Remove all RC4 ciphers
235
+ # http://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
236
+ %w[
237
+ ADH-RC4-MD5
238
+ EXP-ADH-RC4-MD5
239
+ EXP-KRB5-RC4-MD5
240
+ EXP-KRB5-RC4-SHA
241
+ EXP-RC4-MD5
242
+ KRB5-RC4-MD5
243
+ KRB5-RC4-SHA
244
+ PSK-RC4-SHA
245
+ RC4-MD5
246
+ RC4-SHA
247
+ ]
248
+
249
+ # TODO: Move over to Elliptic Curve Cipher Suites (ECDHE ciphers) as
250
+ # soon as ELB supports them.
251
+ ALLOWED_SSL_CIPHERS = %w[
252
+ Protocol-SSLv3
253
+ Protocol-TLSv1
254
+ AES128-SHA
255
+ AES256-SHA
256
+ CAMELLIA128-SHA
257
+ CAMELLIA256-SHA
258
+ DES-CBC3-SHA
259
+ DHE-DSS-CAMELLIA128-SHA
260
+ DHE-DSS-CAMELLIA256-SHA
261
+ DHE-DSS-SEED-SHA
262
+ DHE-RSA-CAMELLIA128-SHA
263
+ DHE-RSA-CAMELLIA256-SHA
264
+ DHE-RSA-SEED-SHA
265
+ SEED-SHA
229
266
  ]
230
267
 
231
268
  field :name, String
232
269
  field :port_mappings, Array, :default => []
233
- magic :disallowed_ciphers, Array, :default => BEAST_VULNERABLE_CIPHERS
270
+ magic :allowed_ciphers, Array, :default => ALLOWED_SSL_CIPHERS
271
+ magic :disallowed_ciphers, Array, :default => DISALLOWED_SSL_CIPHERS
234
272
  member :health_check, HealthCheck
235
273
 
236
274
  def map_port(load_balancer_protocol = 'HTTP', load_balancer_port = 80, internal_protocol = 'HTTP', internal_port = 80, iam_server_certificate = nil)
@@ -240,11 +278,11 @@ module Ironfan
240
278
  end
241
279
 
242
280
  def ssl_policy_to_fog
243
- result = Hash[ *disallowed_ciphers.collect { |c| [ c, false ] }.flatten ]
244
- return {
245
- :name => Digest::MD5.hexdigest("#{disallowed_ciphers.sort.join('')}"),
246
- :attributes => result,
247
- }
281
+ result = { }
282
+ allowed_ciphers.each { |a| result[a] = true }
283
+ disallowed_ciphers.each { |d| result[d] = false }
284
+ uuid = Digest::MD5.hexdigest("ALLOWED:#{allowed_ciphers.sort.join('')};DISALLOWED:#{disallowed_ciphers.sort.join('')}")
285
+ return { :name => uuid, :attributes => result }
248
286
  end
249
287
 
250
288
  def listeners_to_fog(cert_lookup)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ironfan
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.11.4
4
+ version: 4.11.5
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-08-28 00:00:00.000000000 Z
12
+ date: 2013-09-24 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: chef
@@ -381,7 +381,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
381
381
  version: '0'
382
382
  segments:
383
383
  - 0
384
- hash: 2271021476756364937
384
+ hash: -2976122810145852585
385
385
  required_rubygems_version: !ruby/object:Gem::Requirement
386
386
  none: false
387
387
  requirements: