Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9064

Puppet assumes all SSL certs it verifies have client purpose set



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • PUP 6.0.0
    • None
    • None
    • Coremunity
    • Platform Core KANBAN
    • Needs Assessment
    • Not Needed
    • This issue doesn't affect users using puppet-agent#5.5.x or earlier, and makes puppet 6 behave like it did it puppet 5, so no point in documenting it for the 6.0 release.
    • Needs Assessment


      This PR is open to update Travis & Appveyor to test puppet's master branch using ruby 2.5; The Appveyor tests have uncovered a legitimate puppet failure (link to the full log here):

        1) Puppet::Indirector::CertificateStatus::File when searching should return a list of all hosts with certificate requests, signed certs, or revoked certs
           Failure/Error: expect(results).to eq([["ca","signed"],["requested_host","requested"],["revoked_host","revoked"],["signed_host","signed"]])
             expected: [["ca", "signed"], ["requested_host", "requested"], ["revoked_host", "revoked"], ["signed_host", "signed"]]
                  got: [["ca", "revoked"], ["requested_host", "requested"], ["revoked_host", "revoked"], ["signed_host", "signed"]]
             (compared using ==)
           # ./spec/unit/indirector/certificate_status/file_spec.rb:188:in `block (3 levels) in <top (required)>'
           # util/rspec_runner:44:in `run'
           # util/rspec_runner:59:in `<main>'
      Finished in 49.26 seconds (files took 7.23 seconds to load)

      A summary of some discussion we've had around this in PRs and chat so far:

      • This happens with Ruby 2.5.x and and OpenSSL 1.1.0. We suspect we're seeing this failure in Appveyor and not Travis because Travis may build their Ruby 2.5.x against an earlier version of OpenSSL
      • We set purpose to SSL_CLIENT, and OpenSSL 1.1.0, unlike earlier versions, will check the purpose of each certificate and fail verification if purpose does not match.
      • This failure only manifests when verifying the CA using itself:
        • This normally works because the CA is a self-signed cert
        • But the CA does not have the SSL_CLIENT purpose (and it should never set that), so it fails verification now
      • To fix this, we need to find some way not to set the purpose when verifying the CA cert using itself:
        • We may add an optional purpose parameter to the verify method, and have it default to OpenSSL::X509::PURPOSE_SSL_CLIENT. Then, Host's state method could pass OpenSSL::PURPOSE_ANY here.

      sean.mcdonald provided this script to perform a test that creates a CA and attempts to verify it with and without the purpose set (requires system openssl installed).

      This issue blocks PUP-8614 (adding ruby 2.5 to puppet's Travis/Appveyor config), which blocks the upgrade to ruby 2.5.1 in puppet-agent.


        Issue Links



              josh Josh Cooper
              casey.williams Casey Williams
              0 Vote for this issue
              5 Start watching this issue



                Zendesk Support