Security Response: SSL POODLE attack and mitigation

_Update: 2014-10-17: We have [released an update](https://www.getchef.com/blog/2014/10/17/security-release-chef-server-and-analytics-poodle-and-openssl-vulnerabilites/) of Chef Server products and Analytics to address the POODLE attack as well as other recently announced vulnerabilites._

A new attack on SSL 3.0 has been announced. This attack is fully detailed in [this document]( https://www.openssl.org/~bodo/ssl-poodle.pdf).

## Affected Products

See section Remediation below for a mitigation that can be applied to affected products until patched releases are available.

* Chef Server 12
* Open Source Chef Server 11
* Enterprise Chef 11
* Enterprise Chef 1.4
* Chef Analytics

## Non-affected Products

* Hosted Chef has already been remediated.
* Chef Client
* ChefDK
* The Manage, Reporting, and Push Jobs add-ons are not affected, as long as the accompanying Chef Server has been fixed.

## Remediation

A one line configuration change will mitigate this issue until new versions of the affected products are available. To prevent the affected products from using SSL 3.0, follow the instructions below as appropriate for your installation(s). This will disable SSL 3.0 in the affected Chef Server versions and in Chef Analytics.

#### Chef Server 12

Add the line below to “/etc/opscode/chef-server.rb“:


nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

Run “chef-server-ctl reconfigure“ to pick up the changes. This will need to be done on all nodes in tiered and HA configurations.

#### Open Source Chef Server 11

Add the line below to “/etc/chef-server/chef-server.rb“:


nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

Run “chef-server-ctl reconfigure“ to pick up the changes.

#### Enterprise Chef 11

Add the lines below to “/etc/opscode/private-chef.rb“:


nginx['enable\_non\_ssl'] = true
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

Run “private-chef-ctl reconfigure“ to pick up the changes. This will need to be done on all nodes in tiered and HA configurations.

#### Enterprise Chef 1.4

Add the line below to “/etc/opscode/private-chef.rb“:


nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

Run “private-chef-ctl reconfigure“ to pick up the changes. This will need to be done on all nodes in tiered and HA configurations.

#### Chef Analytics

Add the line below to “/etc/opscode-analytics/opscode-analytics.rb“:


ssl[‘protocols’] = “TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"

Run “opscode-analytics-ctl reconfigure“ on the standalone box to pickup the changes.

If Chef Analytics is being run in combined mode, then it will use the settings of the accompanying Chef Server and will be unaffected so long as the accompanying Chef Server is updated.

#### Side Effects

Unfortunately this remediation breaks Pedant, our internal test suite. After making this change chef-server-ctl test and private-chef-ctl test commands will fail in all Chef Server versions except Enterprise Chef 1.4. We are working on a patch for this, but wanted to get the mitigation documented immediately.

Avatar
Marc Paradise

Marc has over 19 years of experience in software design, development and delivery, and has been with Chef since 2011. Other interests include writing, distributed computing, hardware hacking, container technology, and a myriad of other accumulated pastimes. Marc only talks about himself in the third person when writing biographical blurbs.