Issue #3640 has been updated by Markus Roberts.
On further investigation it appears that the problem may be that the flag
settings are incorrect. There was an OpenSSL bug many years ago (openssl <=
0.9.7a) in which the flags were reversed, and the conjunction was used as a
workaround for this bug.
It appears (though I have not verified this) that the combination hack fails to
work as expected on newer (>= 0.9.8) versions. While we may ultimately have to
set the flags based on the openssl version, it may be that OR-ing in the flag
we want will suffice:
<pre>
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 9d016c8..ebe170a 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -213,7 +213,7 @@ class Puppet::SSL::Host
# If there's a CRL, add it to our store.
if crl = Puppet::SSL::CertificateRevocationList.find("ca")
- @ssl_store.flags =
OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+ @ssl_store.flags |= OpenSSL::X509::V_FLAG_CRL_CHECK
@ssl_store.add_crl(crl.content)
end
return @ssl_store
</pre>
Can you try this, and report back:
1. If it works
2. If CRLs still work
3. The version of openssl you tested on
In the meantime, I'll continue to investigate.
-- Markus
----------------------------------------
Bug #3640: Puppet SSL verfication is broken with multiple chained certificates
http://projects.puppetlabs.com/issues/3640
Author: Ohad Levy
Status: Investigating
Priority: Normal
Assigned to:
Category: SSL
Target version:
Affected version: 0.25.5rc1
Keywords:
Branch:
Hi,
it seems that 0.25.x SSL is broken when using a chained CA.
I'm attaching a simple script (and output) showing that using simple net/https
works, while using puppet internally does not.
it doesn't seems to be related to the SSL initialization itself, rather to
something else
h2. example script
<pre>
require 'net/https'
require 'puppet/network/http_pool'
args = ["puppet", 8140]
header = { "Accept" => "pson" }
url = "/development/file_content/facts/somefact.rb"
http = Puppet::Network::HttpPool.http_instance(*args)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
begin
puts http.get url, header
rescue
warn $!
end
Puppet[:config] = "/etc/puppet/puppet.conf"
Puppet.parse_config
http = Net::HTTP.new(*args)
http.use_ssl = true
http.cert_store = OpenSSL::X509::Store.new
http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey]))
http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert]))
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = Puppet[:localcacert]
puts http.get url, header
</pre>
h2. output
<pre>
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed
#<Net::HTTPOK:0xb75dc408>
"#<Puppet::FileServing::Content:0xb714ffac>"
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
