Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3450

The module tool should embed and use the root CAs it cares about

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: PMT, Windows
    • Labels:
    • Template:
    • Story Points:
      2
    • Sprint:
      Windows 2015-09-23

      Description

      Currently the module tool will use the default set of CA certs when making an SSL connection to the forge. However, this is very fragile, because it requires that:

      1. openssl `set_default_paths` is implemented for that platform (it's not for windows)
      2. the cacerts bundle is present and updated (it's not for windows and some versions of solaris)
      3. the forge SSL cert is issued by a well known CA (it may not be, especially when using an internal/private forge)

      This has lead to a number of issues like:

      OPS-3320
      PUP-2365
      OPS-4555
      ENTERPRISE-190
      PE-4699

      We need to modify the module tool so that it initialize the SSL context with a set of trusted CAs. The most secure thing is to specify them in code. Specifying an external file is a possibility, but you have to be careful of file system permissions.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  josh Josh Cooper
                  QA Contact:
                  Ryan Gard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  11 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support