Chef Server 12.10.0 Released

Chef Release Announcements
1

Ohai Chefs,

Today we’ve released Chef Server 12.10.0. This release moves Chef
Server to OpenSSL 1.0.2 and updates the default cipher suite used for
HTTPS to match the current “modern” recommendation from Mozilla.

This release also includes bug fixes in opscode-expander,
chef-server-ctl reindex, and Chef Server’s LDAP support. See the
RELEASE_NOTES[0] and CHANGELOG[1] for full details.

Finally, we’ve reduced the size of the Chef Server packages by rougly
40%.

Cheers,

Steven Danna
Software Engineer, Chef

[0] https://github.com/chef/chef-server/blob/12.10.0/RELEASE_NOTES.md
[1] https://github.com/chef/chef-server/blob/12.10.0/CHANGELOG.md

2

Important addendum that affects both this release and 12.11.0:

if you are running Push Server 1.1 this upgrade will remove an SSL protocol from Chef Server that is still required by Push Server versions prior to 2.1. Prior to upgrading - or to resolve this issue if you have already upgraded - please edit /etc/opscode/chef-server.rb on your Chef Server node and add the following:

nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
nginx['ssl_ciphers'] = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

Finally, run chef-server-ctl reconfigure on that node to pick up the changes.

This will reinstate the older version of both the ciphers and the SSL protocols.

We apologize for this regression and will work to avoid similar problems in the future.