Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Heston Hoffman updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Heston Hoffman Labels: resolved-issue-added ssl Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Josh Cooper Release Notes Summary: Puppet now never downgrades verification based on the presence absence of a client cert. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Josh Cooper Release Notes Summary: Puppet now never downgrades verification based on the presence of a client cert. Release Notes: Enhancement Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Josh Cooper commented on PUP-7295 Re: Puppet is too permissive about skipping SSL verification This is fully resolved in PUP-9459. Also we correctly use the CRL when it is enabled (except when downloading the CA and CRL bundles). Marking as a dup and closing. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Josh Cooper commented on PUP-7295 Re: Puppet is too permissive about skipping SSL verification A new verifier is being implemented in PUP-9457, which will not downgrade. Once callers are updated to call the new method (in PUP-9460), then this can be closed. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Maggie Dreyer Team: Server Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer commented on PUP-7295 Re: Puppet is too permissive about skipping SSL verification This work was removed from 6.0 at the last minute, see PUP-9094. We should remedy this as soon as possible. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Maggie Dreyer Fix Version/s: PUP 6.0.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer commented on PUP-7295 Re: Puppet is too permissive about skipping SSL verification We have fixed this problem for SSL bootstrapping at least, which uses the new Puppet::Rest::Client. That HTTP client forces the caller to specify the verify level appropriate for the request it is trying to make, with all the relevant cert and CRL files provided (PUP-8748). However, we did not update the default validator used by the indirector as part of that work. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Maggie Dreyer Fix Version/s: PUP 6.0.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Maggie Dreyer Team: Platform Core Server Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Maggie Dreyer Sub-team: Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Josh Cooper Sub-team: Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Adrien Thebo assigned an issue to Unassigned Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Adrien Thebo Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title
Adrien Thebo updated an issue
Puppet / PUP-7295
Puppet is too permissive about skipping SSL verification
Change By:
Adrien Thebo
The majority of SSL connections Puppet makes to Puppet masters (which are mainly done by the indirector) can rely on the CA cert and a signed client certificate being available, which means that we can perform SSL peer verification and can provide a client certificate for client cert based authentication. However the current behavior of the SSL Validator code is able to downgrade to an unauthenticated connection at any point. This introduces unneeded risk when we can clearly identify the small set of code paths that might have a real reason for using a less thorough validator.Instead of having our validators defaulting to no validation, we should reverse this. The default validator should require a CA certificate for peer verification and should have a client certificate available in case client cert based authentication is required. The code paths that need to have reduced validators should specifically use those validators when absolutely necessary and should default to using the cert auth validator in all other cases.The locations that I can think of that can justify reducing or disabling verification are as follows: * Fetching the CA certificate when we don't have a local copy of the CA certificate (AKA { { :localcacert} } ). * Submitting a CSR when a client certificate isn't available (AKA { { :hostcert} } ).
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
--
You received this message
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Ethan Brown updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Ethan Brown Labels: ssl triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Geoff Nichols Sprint: Agent Grooming On-Deck Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Geoff Nichols Sprint: Agent Grooming On-Deck Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Adrien Thebo assigned an issue to Adrien Thebo Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Adrien Thebo Assignee: Adrien Thebo Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: Moses Mendoza Sprint: Agent Triage Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title John Duarte updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: John Duarte Sprint: Agent Triage Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title John Duarte updated an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Change By: John Duarte Team: Agent Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Adrien Thebo commented on PUP-7295 Re: Puppet is too permissive about skipping SSL verification /cc Josh Cooper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7295) Puppet is too permissive about skipping SSL verification
Title: Message Title Adrien Thebo created an issue Puppet / PUP-7295 Puppet is too permissive about skipping SSL verification Issue Type: Bug Assignee: Unassigned Created: 2017/03/02 1:42 PM Labels: ssl Priority: Normal Reporter: Adrien Thebo The majority of SSL connections Puppet makes to Puppet masters (which are mainly done by the indirector) can rely on the CA cert and a signed client certificate being available, which means that we can perform SSL peer verification and can provide a client certificate for client cert based authentication. However the current behavior of the SSL Validator code is able to downgrade to an unauthenticated connection at any point. This introduces unneeded risk when we can clearly identify the small set of code paths that might have a real reason for using a less thorough validator. Instead of having our validators defaulting to no validation, we should reverse this. The default validator should require a CA certificate for peer verification and should have a client certificate available in case client cert based authentication is required. The code paths that need to have reduced validators should specifically use those validators when absolutely necessary and should default to using the cert auth validator in all other cases. The locations that I can think of that can justify reducing or disabling verification are as follows: Fetching the CA certificate when we don't have a local copy of the CA
