When a Puppet agent attempts to make a request to the MRI Puppet master and the agent certificate’s serial number is in the master’s CRL, I see the following warning in the agent’s log:
When doing the same test with a Puppet Server master and an underlying Jetty server whose SslContext is configured for CRL support (see PE-3914), I see the following warning in the agent’s log instead of the above warning:
Doing some packet tracing with Wireshark, the main difference I’ve noticed between the two is that the MRI Puppet master generates an SSLv3 alert for “certificate revoked” (44) before sending the FIN packet for the connection whereas the JVM Puppet master sends no SSLv3 alert.
If DEBUG level logging is enabled for the Jetty server in the Puppet Server master, there is a more specific message logged about the certificate revocation failure. This would only be seen in the master-side log, though. Also, the failure message does not appear to identify anything specific about the client other than the revocation date of the certificate.
josh indicated that it would be nice if we could get the Jetty server to send the SSLv3 certificate revoked alert as it would help with agent-side error reporting. Part of the issue is that "read finished A" can happen for a lot of other reasons, e.g. the client sent SSLv2 client hello, the client TCP connected, but never sent a hello, the server timed out the client, ... josh did not indicate that this is a clear showstopper, however.