Issue #3640 has been updated by Ohad Levy.
Further investigation (with the help of Brice) shows that my example code
doesn't contain the CRL
verifications.
removing the CRL verification from the client seems to be "solving" the issue.
e.g.:
<pre>
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 9d016c8..ebe170a 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -213,7 +213,7 @@ class Puppet::SSL::Host
# If there's a CRL, add it to our store.
if crl = Puppet::SSL::CertificateRevocationList.find("ca")
- @ssl_store.flags =
OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+# @ssl_store.flags =
OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
@ssl_store.add_crl(crl.content)
end
return @ssl_store
</pre>
if I understand correctly, one can split the problem into a few parts:
1. CRL will always be generated on each and every CA.
2. CRL will be pushed to the client (if none exits) - but will not be updated
anymore (regardless of changes to it)
may I suggest that:
1. CRL verification should be configurable on the client.
2. CRL source may be another CA server (e.g. upstream CA server)
3. CRL on the client should be re-synced every interval
4. Master CA will not auto generate a CRL (or at-least allow to configure it)
5. consider switching to OCSP.
----------------------------------------
Bug #3640: Puppet SSL verfication is broken with multiple chained certificates
http://projects.puppetlabs.com/issues/3640
Author: Ohad Levy
Status: Unreviewed
Priority: Normal
Assigned to:
Category: SSL
Target version:
Affected version: 0.25.5rc1
Keywords:
Branch:
Hi,
it seems that 0.25.x SSL is broken when using a chained CA.
I'm attaching a simple script (and output) showing that using simple net/https
works, while using puppet internally does not.
it doesn't seems to be related to the SSL initialization itself, rather to
something else
h2. example script
<pre>
require 'net/https'
require 'puppet/network/http_pool'
args = ["puppet", 8140]
header = { "Accept" => "pson" }
url = "/development/file_content/facts/somefact.rb"
http = Puppet::Network::HttpPool.http_instance(*args)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
begin
puts http.get url, header
rescue
warn $!
end
Puppet[:config] = "/etc/puppet/puppet.conf"
Puppet.parse_config
http = Net::HTTP.new(*args)
http.use_ssl = true
http.cert_store = OpenSSL::X509::Store.new
http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey]))
http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert]))
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = Puppet[:localcacert]
puts http.get url, header
</pre>
h2. output
<pre>
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
#<Net::HTTPOK:0xb75dc408>
"#<Puppet::FileServing::Content:0xb714ffac>"
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
