Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5096

Windows Puppet build includes an OpenSSL with crazy defaults baked in

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: PUP 3.8.2
    • Fix Version/s: None
    • Component/s: Windows
    • Labels:
      None
    • Environment:

      Windows 2012 R2 Server Core
      puppet-3.8.2-x64.msi

    • Template:
    • Story Points:
      2
    • Sprint:
      RE 2015-09-09

      Description

      The OpenSSL gem built into the 3.8.2 MSI contains at least one crazy default that makes it nearly impossible to use the embedded Ruby for extra purposes. In this case the extra purpose is librarian-puppet, which works best when it uses the same Ruby environment that Puppet does.

      That default is the DEFAULT_CONFIG_FILE constant which is indicative of the default configuration directory, which is scanned for CA pem files by default with OpenSSL/Faraday.

      (from ext/openssl/ossl_x509store.c in the openssl gem)

       * Adds the default certificates to the certificate store.  These certificates
       * are loaded from the default configuration directory which can usually be
       * determined by:
       *
       *   File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE
      

      Using C:\Program Files\Puppet Labs\puppet\sys\ruby\bin\irb:

      irb(main):014:0> File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE
      => "C:/jenkins/workspace/Windows_Knapsack_package_builds/ARCH/x64/label/win-builder-4/var/knapsack/software/x64-windows/openssl/1.0.0s/ssl"
      

      I'm no OpenSSL build expert, but this points to OpenSSL not being aware that its destination directory is going to differ significantly from the build directory.

      AFAIK (not an OpenSSL expert), there's no way to override this directory with an environment variable; and as it's compiled into the shared library object there's no editing some Ruby.

        Attachments

          Activity

            People

            • Assignee:
              bradejr Rob Braden
              Reporter:
              jeffb Jeff Bachtel
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support