[PUP-7283] Instantiating Puppet::SSL::DefaultValidator shouldn't trigger client SSL initialization - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Epic Link:
Simplify agent SSL initialization
Sub-team:
- Coremunity
Team:
Platform Core
Story Points:
3
Sprint:
SE 2017-03-08, Server 2017-03-22, Server 2017-04-05, Server 2017-04-19

Release Notes:
Not Needed

QA Risk Assessment:
Needs Assessment

Description

The Puppet::SSL::DefaultValidator class is unsafe to call when the Puppet client SSL state isn't initialized. The #initialize method takes a Puppet::SSL::Host object which is reasonable(ish), but the default value calls Puppet::SSL::Host.localhost which has the side effect of trying to generate a certificate if no certificate exists. This is cause and symptom of the unholy thicket of implicit SSL initialization, and this behavior introduces a lot of weird behavior.

To add to the fun, the DefaultValidator also switches behavior at runtime depending on if the CA or client certificates are available. This is fairly magic behavior and can be replaced with a proper concept of an "upgrading" validator that uses the best validator available, and multiple validators that perform different validation (and connection setup) based on what sort of validation credentials are available.

In order to detangle this, we need to break up the DefaultValidator

Attachments

Issue Links

blocks

PUP-7248 Convert initial CA cert (and CRL) fetching operation to state machine

Closed

relates to

PUP-7295 Puppet is too permissive about skipping SSL verification

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Adrien Thebo

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2017/02/28 11:56 AM

Updated:: 2018/05/25 8:38 AM

Resolved:: 2018/05/25 8:38 AM