[PUP-7295] Puppet is too permissive about skipping SSL verification Created: 2017/03/02  Updated: 2019/03/20  Resolved: 2019/03/19

Status: Closed
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Adrien Thebo Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: resolved-issue-added, ssl
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicates PUP-9459 Create SSL state machine for generati... Closed
relates to PUP-7283 Instantiating Puppet::SSL::DefaultVal... Closed
relates to PUP-8652 Agents should be able to use CA and C... Closed
relates to PUP-8748 Puppet::Rest::Client should allow its... Closed
Template: PUP Bug Template
Epic Link: Simplify agent SSL initialization
Team: Coremunity
Release Notes: Enhancement
Release Notes Summary: Puppet now never downgrades verification based on the absence of a client cert.
QA Risk Assessment: Needs Assessment


The majority of SSL connections Puppet makes to Puppet masters (which are mainly done by the indirector) can rely on the CA cert and a signed client certificate being available, which means that we can perform SSL peer verification and can provide a client certificate for client cert based authentication. However the current behavior of the SSL Validator code is able to downgrade to an unauthenticated connection at any point. This introduces unneeded risk when we can clearly identify the small set of code paths that might have a real reason for using a less thorough validator.

Instead of having our validators defaulting to no validation, we should reverse this. The default validator should require a CA certificate for peer verification and should have a client certificate available in case client cert based authentication is required. The code paths that need to have reduced validators should specifically use those validators when absolutely necessary and should default to using the cert auth validator in all other cases.

The locations that I can think of that can justify reducing or disabling verification are as follows:

  • Fetching the CA certificate when we don't have a local copy of the CA certificate (AKA :localcacert).
  • Submitting a CSR when a client certificate isn't available (AKA :hostcert).

Comment by Adrien Thebo [ 2017/03/02 ]

/cc Josh Cooper

Comment by Maggie Dreyer [ 2018/07/11 ]

We have fixed this problem for SSL bootstrapping at least, which uses the new Puppet::Rest::Client. That HTTP client forces the caller to specify the verify level appropriate for the request it is trying to make, with all the relevant cert and CRL files provided (PUP-8748). However, we did not update the default validator used by the indirector as part of that work.

Comment by Maggie Dreyer [ 2018/10/02 ]

This work was removed from 6.0 at the last minute, see PUP-9094. We should remedy this as soon as possible.

Comment by Josh Cooper [ 2019/02/20 ]

A new verifier is being implemented in PUP-9457, which will not downgrade. Once callers are updated to call the new method (in PUP-9460), then this can be closed.

Comment by Josh Cooper [ 2019/03/19 ]

This is fully resolved in PUP-9459. Also we correctly use the CRL when it is enabled (except when downloading the CA and CRL bundles). Marking as a dup and closing.

Generated at Tue Aug 11 00:14:05 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.