Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3446

CertificateError when running tests with OpenSSL >= 1.0.1i

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: PUP 3.5.0, PUP 3.5.1, PUP 3.6.0, PUP 3.6.1, PUP 3.6.2, PUP 3.7.0, PUP 3.7.1
    • Fix Version/s: PUP 3.7.4
    • Component/s: None
    • Labels:
      None
    • Environment:

      Debian sid (workstation used for testing)
      rbenv with Rubies 2.0.0-p353, 1.9.3-p194, 1.8.7-p352 and 1.8.7-p302

    • Template:
    • Story Points:
      1
    • Sprint:
      Platform Client 2014-11-12

      Description

      The :minimal_certificate stub in Puppet::Network::HTTP::RackREST does everything necessary to produce a valid test certificate except sign it. An unsigned certificate has empty signing algorithm fields, which is invalid ASN.1, although OpenSSL versions prior to 1.0.1i would accept this ASN.1 anyway.

      When these tests are run on OpenSSL 1.0.1i or newer, an OpenSSL::X509::CertificateError is raised with the message "nested asn1 error". I have confirmed that the resultant ASN.1 is invalid using the dumpasn1 utility, ruling out a bug in OpenSSL reading the certificate.

      To reproduce the problem, simply run (on any system with OpenSSL 1.0.1i or newer):

      bundle exec rspec spec/unit/network/http/rack/rest_spec.rb

      This code was introduced in a706fa30ae6be5dd5fcc3f539f31aa26cbccf42b, which is why I have selected all versions from 3.5.0 onwards as affected.

      I have a simple, tested patch which fixes this problem by self-signing the test certificate, which I intend to submit as a pull request on GitHub shortly.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                anchor Anchor
                QA Contact:
                Erik Dasher
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support