Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7845

Support leaf certificate CRL checking

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.3.1
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Platform Core
    • Story Points:
      3
    • Sprint:
      Platform Core 2017-08-22, Platform Core KANBAN
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Puppet can be configured to perform end entity certificate revocation checking. When the `certificate_revocation` setting is set to `leaf` and Puppet is authenticating an SSL connection, Puppet will check the revocation status of the end entity certificate of the peer, instead of attempting to check the revocation status of every certificate in the chain. This allows users to perform basic revocation checking when using an intermediate CA certificate with Puppet.
      Show
      Puppet can be configured to perform end entity certificate revocation checking. When the `certificate_revocation` setting is set to `leaf` and Puppet is authenticating an SSL connection, Puppet will check the revocation status of the end entity certificate of the peer, instead of attempting to check the revocation status of every certificate in the chain. This allows users to perform basic revocation checking when using an intermediate CA certificate with Puppet.
    • QA Risk Assessment:
      Manual

      Description

      Apache 2.4 added the SSLCARevocationCheck setting, which controls the depth of revocation checking done for client certificates. Supporting leaf certificate revocation checking provides the same level of security as full chain checking when intermediate CAs are not used, and still provides a good level of security when intermediate CAs are in use.

      The work required for full chaining (discussed in PUP-3788) is fairly involved, so while we're working on the larger picture we should support leaf revocation checking so that CRLs can be used in some form when intermediate CAs are in use.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  adrien Adrien Thebo
                  Reporter:
                  adrien Adrien Thebo
                  QA Contact:
                  Eric Delaney
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: