Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8748

Puppet::Rest::Client should allow its verify mode to be configured by the caller

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.0.0
    • None
    • None
    • Hide
      • Puppet::Rest::Client allows its SSL state to be configured by the caller
      • Insecure connections are only created and used once on demand, and not via an automatic downgrade
      • acceptance covered elsewhere (agent downloads cert, etc), and probably not required anyway
      • probable to cover at unit level
      Show
      Puppet::Rest::Client allows its SSL state to be configured by the caller Insecure connections are only created and used once on demand, and not via an automatic downgrade acceptance covered elsewhere (agent downloads cert, etc), and probably not required anyway probable to cover at unit level
    • Froyo
    • Not Needed
    • Needs Assessment

    Description

      We need different levels of verification for HTTP requests depending on the state of the application (e.g. whether we have downloaded a CA cert or should do CRL checking). This state is known by the entity making the requests. Currently, the client tries to guess the right verify mode itself by trying to inspect the application state (e.g. looking for files on disk). Instead, we should have the caller request certain security configurations directly, via passing a context object to the client describing the kind of connection that should be used for the request. The client should then correctly handle cleaning up once the request has been made, for example by resetting all connections after downloading the CA bundle using VERIFY_NONE. This will help ensure that we don't accidentally downgrade connections that are supposed to be secure.

      as a puppet/server dev
      i want this
      so that we can be explicit about the ssl verify state

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-7295 Puppet is too permissive about skipping SSL verification

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              maggie Maggie Dreyer
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support