Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-1674

Rack SSL environment variable handling is inconsistent

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Won't Do
    • Affects Version/s: PUP 3.5.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:

      Description

      As of 3.5, a puppet master running under rack will require three environment variables to be set:

      • HTTP_X_CLIENT_VERIFY, for whether it's an authenticated connection. (Configurable with the ssl_client_verify_header setting.) This isn't a default variable set by any HTTP server.
      • HTTP_X_CLIENT_DN, for the client cert's DN. (Configurable with the ssl_client_header setting.) This isn't a default variable set by any HTTP server.
      • SSL_CLIENT_CERT, for the whole cert in PEM format – technically optional, and used only for the $trusted['extensions'] hash and expiration warnings. Hardcoded and NOT configurable. This is a default variable name set by Apache's mod_ssl if you enable SSLOptions +ExportCertData.

      So that's two non-default but configurable, and one default but non-configurable.

      That inconsistency makes documentation harder, and smells of cruft and technical debt. They should all be either configurable, or hardcoded to mod_ssl's default variable names. I'm confident that either approach would still be fine for people using non-standard stacks.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nick.fagerlund Nicholas Fagerlund
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support