The majority of SSL connections Puppet makes to Puppet masters (which are mainly done by the indirector) can rely on the CA cert and a signed client certificate being available, which means that we can perform SSL peer verification and can provide a client certificate for client cert based authentication. However the current behavior of the SSL Validator code is able to downgrade to an unauthenticated connection at any point. This introduces unneeded risk when we can clearly identify the small set of code paths that might have a real reason for using a less thorough validator.
Instead of having our validators defaulting to no validation, we should reverse this. The default validator should require a CA certificate for peer verification and should have a client certificate available in case client cert based authentication is required. The code paths that need to have reduced validators should specifically use those validators when absolutely necessary and should default to using the cert auth validator in all other cases.
The locations that I can think of that can justify reducing or disabling verification are as follows:
- Fetching the CA certificate when we don't have a local copy of the CA certificate (AKA :localcacert).
- Submitting a CSR when a client certificate isn't available (AKA :hostcert).