Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8652 Agents should be able to use CA and CRL bundles
  3. PUP-8654

Agents should save all CRLs downloaded from the server

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Team:
      Froyo
    • Release Notes:
      Not Needed
    • QA Risk Assessment:
      Needs Assessment

      Description

      Currently the puppet agent does not correctly handle chained CRLs. When using an intermediate CA, users must now turn on leaf-only checking for CRLs to work around this. Puppet needs to be able to verify the revocation status of the master using the whole chain, not just the leaf.

      This is complicated by the indirector, which hard codes an assumption that we only have one CRL. We should sidestep the indirector here to handle bundled CRLs properly, adding all of them to trust store, not just the leaves.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tony.vu Tony Vu
              Reporter:
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support