[Puppet - Bug #3640] Puppet SSL verfication is broken with multiple chained certificates

Sat, 08 May 2010 11:00:10 -0700 

Issue #3640 has been updated by Markus Roberts.


The openssl change log may prove to be a useful resource if we wind up having 
to do something version sensitive:

    http://www.openssl.org/source/exp/CHANGES

----------------------------------------
Bug #3640: Puppet SSL verfication is broken with multiple chained certificates
http://projects.puppetlabs.com/issues/3640

Author: Ohad Levy
Status: Investigating
Priority: Normal
Assigned to: 
Category: SSL
Target version: 
Affected version: 0.25.5rc1
Keywords: 
Branch: 


Hi,

it seems that 0.25.x SSL is broken when using a chained CA.

I'm attaching a simple script (and output) showing that using simple net/https 
works, while using puppet internally does not.

it doesn't seems to be related to the SSL initialization itself, rather to 
something else

h2. example script

<pre>
require 'net/https'
require 'puppet/network/http_pool'

args = ["puppet", 8140]
header = { "Accept" => "pson" }
url = "/development/file_content/facts/somefact.rb"


http = Puppet::Network::HttpPool.http_instance(*args)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
begin
  puts http.get url, header
rescue 
 warn $!
end

Puppet[:config] = "/etc/puppet/puppet.conf"
Puppet.parse_config
http = Net::HTTP.new(*args)
http.use_ssl = true
http.cert_store = OpenSSL::X509::Store.new
http.key = OpenSSL::PKey::RSA.new(File::read(Puppet[:hostprivkey]))
http.cert = OpenSSL::X509::Certificate.new(File::read(Puppet[:hostcert]))
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = Puppet[:localcacert]

puts http.get url, header
</pre>

h2. output

<pre>
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed
#<Net::HTTPOK:0xb75dc408>
"#<Puppet::FileServing::Content:0xb714ffac>"
</pre>


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to