[MediaWiki-commits] [Gerrit] sslcert: fix update-ocsp's non-proxy mode - change (operations/puppet)

Faidon Liambotis (Code Review) Fri, 02 Oct 2015 03:24:52 -0700

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/243133


Change subject: sslcert: fix update-ocsp's non-proxy mode
......................................................................

sslcert: fix update-ocsp's non-proxy mode

update-ocsp already had code to deal with not passing a --proxy argument
but it was impossible to reach with the current argparse config. Fix
this and also add support for passing the Host header so that this works
against e.g. GlobalSign's OCSP servers. While at it, fix a couple of
bugs in the error handling path that probably wasn't previously
exercised until I started poking at it.

Change-Id: I9194227439d7c8f5ff320596aad9bafbbb072cdc
---
M modules/sslcert/files/update-ocsp
1 file changed, 7 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/33/243133/1

diff --git a/modules/sslcert/files/update-ocsp 
b/modules/sslcert/files/update-ocsp
index fc8786e..f19ce96 100644
--- a/modules/sslcert/files/update-ocsp
+++ b/modules/sslcert/files/update-ocsp
@@ -27,6 +27,7 @@
 import glob
 import tempfile
 import datetime
+import urlparse
 
 
 def file_exists(fname):
@@ -48,8 +49,7 @@
                         help="output filename",
                         required=True)
     parser.add_argument('--proxy', '-p', dest="proxy",
-                        help="HTTP proxy host:port to use for OCSP request",
-                        required=True)
+                        help="HTTP proxy host:port to use for OCSP request")
     parser.add_argument('--ca-certs', '-d', dest="cadir",
                         help="SSL CA certificates directory",
                         default='/etc/ssl/certs')
@@ -73,8 +73,7 @@
     (p_out, p_err) = p.communicate()
     if p.returncode != 0:
         sys.stderr.write("Command %s failed with exit code %i, stderr:\n%s" %
-                         (p.args, p.returncode, p_err))
-        raise
+                         (" ".join(args), p.returncode, p_err))
     return (p_out, p_err)
 
 
@@ -168,8 +167,12 @@
             "-host", proxy,
         ])
     else:
+        # OpenSSL only speaks HTTP/1.0 and sends no Host header. This doesn't
+        # really work in many OCSP servers, so supply the Host header manually.
+        hosthdr = urlparse.urlparse(ocsp_uri).netloc
         cmd.extend([
             "-url", ocsp_uri,
+            "-header", "Host", hosthdr,
         ])
 
     for cert in certs:

-- 
To view, visit https://gerrit.wikimedia.org/r/243133
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9194227439d7c8f5ff320596aad9bafbbb072cdc
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] sslcert: fix update-ocsp's non-proxy mode - change (operations/puppet)

Reply via email to