Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9064

Puppet assumes all SSL certs it verifies have client purpose set

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      This issue doesn't affect users using puppet-agent#5.5.x or earlier, and makes puppet 6 behave like it did it puppet 5, so no point in documenting it for the 6.0 release.
    • QA Risk Assessment:
      Needs Assessment

      Description

      This PR is open to update Travis & Appveyor to test puppet's master branch using ruby 2.5; The Appveyor tests have uncovered a legitimate puppet failure (link to the full log here):

      Failures:
        1) Puppet::Indirector::CertificateStatus::File when searching should return a list of all hosts with certificate requests, signed certs, or revoked certs
           Failure/Error: expect(results).to eq([["ca","signed"],["requested_host","requested"],["revoked_host","revoked"],["signed_host","signed"]])
             expected: [["ca", "signed"], ["requested_host", "requested"], ["revoked_host", "revoked"], ["signed_host", "signed"]]
                  got: [["ca", "revoked"], ["requested_host", "requested"], ["revoked_host", "revoked"], ["signed_host", "signed"]]
             (compared using ==)
           # ./spec/unit/indirector/certificate_status/file_spec.rb:188:in `block (3 levels) in <top (required)>'
           # util/rspec_runner:44:in `run'
           # util/rspec_runner:59:in `<main>'
      Finished in 49.26 seconds (files took 7.23 seconds to load)
      

      A summary of some discussion we've had around this in PRs and chat so far:

      • This happens with Ruby 2.5.x and and OpenSSL 1.1.0. We suspect we're seeing this failure in Appveyor and not Travis because Travis may build their Ruby 2.5.x against an earlier version of OpenSSL
      • We set purpose to SSL_CLIENT, and OpenSSL 1.1.0, unlike earlier versions, will check the purpose of each certificate and fail verification if purpose does not match.
      • This failure only manifests when verifying the CA using itself:
        • This normally works because the CA is a self-signed cert
        • But the CA does not have the SSL_CLIENT purpose (and it should never set that), so it fails verification now
      • To fix this, we need to find some way not to set the purpose when verifying the CA cert using itself:
        • We may add an optional purpose parameter to the verify method, and have it default to OpenSSL::X509::PURPOSE_SSL_CLIENT. Then, Host's state method could pass OpenSSL::PURPOSE_ANY here.

      Sean McDonald provided this script to perform a test that creates a CA and attempts to verify it with and without the purpose set (requires system openssl installed).

      This issue blocks PUP-8614 (adding ruby 2.5 to puppet's Travis/Appveyor config), which blocks the upgrade to ruby 2.5.1 in puppet-agent.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              casey.williams Casey Williams
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support