Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7845

Support leaf certificate CRL checking

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.3.1
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Platform Core
    • Story Points:
      3
    • Sprint:
      Platform Core 2017-08-22, Platform Core KANBAN
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Puppet can be configured to perform end entity certificate revocation checking. When the `certificate_revocation` setting is set to `leaf` and Puppet is authenticating an SSL connection, Puppet will check the revocation status of the end entity certificate of the peer, instead of attempting to check the revocation status of every certificate in the chain. This allows users to perform basic revocation checking when using an intermediate CA certificate with Puppet.
      Show
      Puppet can be configured to perform end entity certificate revocation checking. When the `certificate_revocation` setting is set to `leaf` and Puppet is authenticating an SSL connection, Puppet will check the revocation status of the end entity certificate of the peer, instead of attempting to check the revocation status of every certificate in the chain. This allows users to perform basic revocation checking when using an intermediate CA certificate with Puppet.
    • QA Risk Assessment:
      Manual

      Description

      Apache 2.4 added the SSLCARevocationCheck setting, which controls the depth of revocation checking done for client certificates. Supporting leaf certificate revocation checking provides the same level of security as full chain checking when intermediate CAs are not used, and still provides a good level of security when intermediate CAs are in use.

      The work required for full chaining (discussed in PUP-3788) is fairly involved, so while we're working on the larger picture we should support leaf revocation checking so that CRLs can be used in some form when intermediate CAs are in use.

        Attachments

          Issue Links

            Activity

            Hide
            kenn Kenn Hussey added a comment -

            Garrett Guillotte do you have what you need here? This is going out with 5.3.1.

            Show
            kenn Kenn Hussey added a comment - Garrett Guillotte do you have what you need here? This is going out with 5.3.1.
            Hide
            adrien Adrien Thebo added a comment -

            See the `certificate_revocation` documentation for more information about the new `leaf` setting.

            https://github.com/puppetlabs/puppet/blob/5.3.1/lib/puppet/defaults.rb#L859

            Show
            adrien Adrien Thebo added a comment - See the `certificate_revocation` documentation for more information about the new `leaf` setting. https://github.com/puppetlabs/puppet/blob/5.3.1/lib/puppet/defaults.rb#L859
            Hide
            garrett.guillotte Garrett Guillotte added a comment -

            Kenn Hussey Adrien Thebo Got it, thanks

            Show
            garrett.guillotte Garrett Guillotte added a comment - Kenn Hussey Adrien Thebo Got it, thanks
            Hide
            garrett.guillotte Garrett Guillotte added a comment -

            Adrien Thebo The external CA doc https://docs.puppet.com/puppet/latest/config_ssl_external_ca.html doesn't differentiate between leaf and chain checks, so I think it also needs updating in addition to the release note.

            Do we have a test or use case for this setting that I can consult beyond the reference details in the setting's docs so I can explain the differences between chain and leaf and why a user would choose one or the other?

            Show
            garrett.guillotte Garrett Guillotte added a comment - Adrien Thebo The external CA doc https://docs.puppet.com/puppet/latest/config_ssl_external_ca.html doesn't differentiate between leaf and chain checks, so I think it also needs updating in addition to the release note. Do we have a test or use case for this setting that I can consult beyond the reference details in the setting's docs so I can explain the differences between chain and leaf and why a user would choose one or the other?
            Hide
            kenn Kenn Hussey added a comment -

            Eric Delaney can this be resolved now that the release has shipped?

            Show
            kenn Kenn Hussey added a comment - Eric Delaney can this be resolved now that the release has shipped?
            Hide
            eric.delaney Eric Delaney added a comment -

            Adrien Thebo Garrett Guillotte Do we have all the documentation things for this done so that we can close this?

            Show
            eric.delaney Eric Delaney added a comment - Adrien Thebo Garrett Guillotte Do we have all the documentation things for this done so that we can close this?
            Hide
            garrett.guillotte Garrett Guillotte added a comment - - edited

            Eric Delaney You can close this ticket. I'll open a separate ticket against the DOC project to handle what's left.

            Show
            garrett.guillotte Garrett Guillotte added a comment - - edited Eric Delaney You can close this ticket. I'll open a separate ticket against the DOC project to handle what's left.

              People

              • Assignee:
                adrien Adrien Thebo
                Reporter:
                adrien Adrien Thebo
                QA Contact:
                Eric Delaney
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support