How to enable Saltstack ssl connection between master and minion

2
votes

I try to enable ssl for Saltstack master and minion by following https://docs.saltstack.com/en/latest/ref/configuration/master.html#ssl But I am not sure how to verify it is using SSL.

I added this in master configuration:

ssl:
  keyfile: /etc/salt/ssl/master/key.pem
  certfile: /etc/salt/ssl/master/cert.pem
  ssl_version: PROTOCOL_TLSv1_2

I added similar settings in minion. However, when I use openssl to test the port: openssl s_client -connect <master ip>:4505 -debug and I get SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. It seems the SSL is not enabled at all. How to verify if the SSL is enabled? The master and minion communication seems fine. I just to need to verify it is using SSL. I am on Centos 7 with python 2.7. Do I need to install any additional packages?

1
sslsalt-stack

1 Answers

0
votes

You also need to add

transport: tcp

Then you will at least get some SSL related error in /var/log/salt/master or /var/log/salt/minion

You can use tcpdump to capture some traffic and analyze it in wireshark to verify if the connection is ssl encrypted.