Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7283

Instantiating Puppet::SSL::DefaultValidator shouldn't trigger client SSL initialization

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Release Notes:
      Not Needed
    • QA Risk Assessment:
      Needs Assessment

      Description

      The Puppet::SSL::DefaultValidator class is unsafe to call when the Puppet client SSL state isn't initialized. The #initialize method takes a Puppet::SSL::Host object which is reasonable(ish), but the default value calls Puppet::SSL::Host.localhost which has the side effect of trying to generate a certificate if no certificate exists. This is cause and symptom of the unholy thicket of implicit SSL initialization, and this behavior introduces a lot of weird behavior.

      To add to the fun, the DefaultValidator also switches behavior at runtime depending on if the CA or client certificates are available. This is fairly magic behavior and can be replaced with a proper concept of an "upgrading" validator that uses the best validator available, and multiple validators that perform different validation (and connection setup) based on what sort of validation credentials are available.

      In order to detangle this, we need to break up the DefaultValidator

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                adrien Adrien Thebo
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support