[PUP-9064] Puppet assumes all SSL certs it verifies have client purpose set - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 6.0.0
Component/s: None
Labels:
None

Team:
Coremunity
Sprint:
Platform Core KANBAN
Method Found:
Needs Assessment

Release Notes:
Not Needed
Release Notes Summary:
This issue doesn't affect users using puppet-agent#5.5.x or earlier, and makes puppet 6 behave like it did it puppet 5, so no point in documenting it for the 6.0 release.

QA Risk Assessment:
Needs Assessment

Description

This PR is open to update Travis & Appveyor to test puppet's master branch using ruby 2.5; The Appveyor tests have uncovered a legitimate puppet failure (link to the full log here):

Failures:

  1) Puppet::Indirector::CertificateStatus::File when searching should return a list of all hosts with certificate requests, signed certs, or revoked certs

     Failure/Error: expect(results).to eq([["ca","signed"],["requested_host","requested"],["revoked_host","revoked"],["signed_host","signed"]])

       expected: [["ca", "signed"], ["requested_host", "requested"], ["revoked_host", "revoked"], ["signed_host", "signed"]]

            got: [["ca", "revoked"], ["requested_host", "requested"], ["revoked_host", "revoked"], ["signed_host", "signed"]]

       (compared using ==)

     # ./spec/unit/indirector/certificate_status/file_spec.rb:188:in `block (3 levels) in <top (required)>'

     # util/rspec_runner:44:in `run'

     # util/rspec_runner:59:in `<main>'

Finished in 49.26 seconds (files took 7.23 seconds to load)

A summary of some discussion we've had around this in PRs and chat so far:

This happens with Ruby 2.5.x and and OpenSSL 1.1.0. We suspect we're seeing this failure in Appveyor and not Travis because Travis may build their Ruby 2.5.x against an earlier version of OpenSSL
We set purpose to SSL_CLIENT, and OpenSSL 1.1.0, unlike earlier versions, will check the purpose of each certificate and fail verification if purpose does not match.
This failure only manifests when verifying the CA using itself:
- This normally works because the CA is a self-signed cert
- But the CA does not have the SSL_CLIENT purpose (and it should never set that), so it fails verification now
To fix this, we need to find some way not to set the purpose when verifying the CA cert using itself:
- We may add an optional purpose parameter to the verify method, and have it default to OpenSSL::X509::PURPOSE_SSL_CLIENT. Then, Host's state method could pass OpenSSL::PURPOSE_ANY here.

sean.mcdonald provided this script to perform a test that creates a CA and attempts to verify it with and without the purpose set (requires system openssl installed).

This issue blocks ~~PUP-8614~~ (adding ruby 2.5 to puppet's Travis/Appveyor config), which blocks the upgrade to ruby 2.5.1 in puppet-agent.

Attachments

Issue Links

blocks

PUP-8614 Add ruby 2.5.0 to travis and appveyor test matrices for puppet

Closed

PA-1824 Update vendored ruby to 2.5.0 in puppet-agent

Closed

Activity

People

Assignee:: Josh Cooper

Reporter:: Casey Williams

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018/08/14 9:30 AM

Updated:: 2018/09/19 12:34 PM

Resolved:: 2018/08/30 12:07 PM