[PUP-9459] Create SSL state machine for generating a client cert - Puppet Jira Server

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 6.4.0
Component/s: None
Labels:
- resolved-issue-added

Epic Link:
Simplify agent SSL initialization
Team:
Coremunity
CVE-ID:
CVE-2018-11751
Sprint:
Platform Core KANBAN

Release Notes:
New Feature
Release Notes Summary:
Puppet now uses the SSL state machine to generate its private key, submit a CSR, and retrieve its client cert.

QA Risk Assessment:
Needs Assessment

Description

Create an SSL state machine for loading/generating a private key, loading/submitting a CSR, and loading/downloading a client cert. The state machine should verify the consistency of the data before committing changes to disk and moving to the next state. For example, if we download the client cert, but its public key doesn't match our private key, then the cert should be discarded and an error generated. Connections should always authenticate the server (VERIFY_PEER) and never downgrade to VERIFY_NONE. The state machine should generate an SSLContext initialized with the CA certs, CRL bundle, client cert and private key so that all future connections are mutually authenticated.

Attachments

Issue Links

is duplicated by

PUP-4568 Puppet agent does not resend certificate request to master

Closed

PUP-6207 expired certificates cause recursion

Closed

PUP-7295 Puppet is too permissive about skipping SSL verification

Closed

PUP-7903 Do not cache invalid node certificate from puppet master

Closed

Activity

People

Assignee:: Josh Cooper

Reporter:: Josh Cooper

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019/01/23 3:41 PM

Updated:: 2019/12/03 11:47 AM

Resolved:: 2019/03/20 2:11 PM