Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-150

Investigate adding SSLv3 certificate revoked alert to Jetty / Java



    • Type: Improvement
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Template:
    • CS Priority:
    • Zendesk Ticket IDs:
    • Zendesk Ticket Count:


      When a Puppet agent attempts to make a request to the MRI Puppet master and the agent certificate’s serial number is in the master’s CRL, I see the following warning in the agent’s log:

      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

      When doing the same test with a Puppet Server master and an underlying Jetty server whose SslContext is configured for CRL support (see PE-3914), I see the following warning in the agent’s log instead of the above warning:

      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

      Doing some packet tracing with Wireshark, the main difference I’ve noticed between the two is that the MRI Puppet master generates an SSLv3 alert for “certificate revoked” (44) before sending the FIN packet for the connection whereas the JVM Puppet master sends no SSLv3 alert.

      If DEBUG level logging is enabled for the Jetty server in the Puppet Server master, there is a more specific message logged about the certificate revocation failure. This would only be seen in the master-side log, though. Also, the failure message does not appear to identify anything specific about the client other than the revocation date of the certificate.

      Josh Cooper indicated that it would be nice if we could get the Jetty server to send the SSLv3 certificate revoked alert as it would help with agent-side error reporting. Part of the issue is that "read finished A" can happen for a lot of other reasons, e.g. the client sent SSLv2 client hello, the client TCP connected, but never sent a hello, the server timed out the client, ... Josh Cooper did not indicate that this is a clear showstopper, however.




            Unassigned Unassigned
            jeremy.barlow Jeremy Barlow
            QA Contact:
            John Duarte John Duarte
            0 Vote for this issue
            9 Start watching this issue



                Zendesk Support