Issue #15561 has been updated by Jason Hancock.
My use case was that when submitting a report with the http report processor to an ssl-enabled url, it would break despite using a valid purchased ssl certificate. First, I made sure that it was still failing on 3.1.1: <pre> $ rpm -qa | grep puppet-server puppet-server-3.1.1-1.el6.noarch </pre> And then from my log file: <pre> 2013-03-30T22:55:40.014912+00:00 puppet puppet-master[2974]: Compiled catalog for 85029c04-81f5-4ee5-ab6d-a9d82944f8fe.cs1null in environment production in 0.14 seconds 2013-03-30T22:55:45.694997+00:00 puppet puppet-master[2974]: Report processor failed: Certname "/c=us/st=ut/l=salt lake city/o=the usertrust network/ou=http://www.usertrust.comutn - datacorp sgc" must not contain unprintable or non-ASCII characters </pre> Then I upgraded to the packages you posted, bounced the puppetmaster, and re-ran my test. <pre> $ rpm -qa | grep puppet-server puppet-server-3.1.1-20130329git7541bae.1.el6.noarch </pre> A different error message showed up in my logs: <pre> 2013-03-30T22:59:25.547990+00:00 puppet puppet-master[3532]: Starting Puppet master version 3.1.1 2013-03-30T22:59:26.912290+00:00 puppet puppet-master[3588]: Report processor failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC] </pre> ---------------------------------------- Bug #15561: Fix for CVE-2012-3867 is too restrictive https://projects.puppetlabs.com/issues/15561#change-87812 * Author: Dustin Mitchell * Status: Merged - Pending Release * Priority: Urgent * Assignee: * Category: SSL * Target version: 3.2.0 * Affected Puppet version: 2.7.18 * Keywords: certificate * Branch: https://github.com/puppetlabs/puppet/pull/1556 ---------------------------------------- The fix for CVE-2012-3867 involves checking certificate subjects for "weird" characters. From my read of the CVE entry, this is to filter out characters that would cause the name to display in a manner visually indistinguishable from a valid hostname. However, the check is too restrictive: Could not retrieve catalog from remote server: Certname "puppetagain base ca/[email protected]/ou=release engineering/o=mozilla, inc." must not contain unprintable or non-ASCII characters In particular, / is a very common character in subjects, and should be allowed. Puppet is seeing this subject on my base CA - I'm using certificate chaining. The fix is one character, so I haven't included a patch, but I'm happy to make a pull req if necessary. Another fix would be to only verify certificate subjects for the leaf certificate, and not any of the certs in its signing chain, but that seems less secure. It's also worth noting that the regex is overly broad, since it downcases the string, then accepts A-Z among other characters. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
