[PUP-9458] Create SSL state machine for downloading CA and CRL bundles Created: 2019/01/23  Updated: 2019/03/26  Resolved: 2019/03/14

Status: Closed
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 6.4.0

Type: New Feature Priority: Normal
Reporter: Josh Cooper Assignee: Josh Cooper
Resolution: Fixed Votes: 0
Labels: resolved-issue-added
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Epic Link: Simplify agent SSL initialization
Team: Coremunity
Sprint: Platform Core KANBAN
Release Notes: Enhancement
Release Notes Summary: Modifies the `puppet ssl` application to use a state machine to download the CA and CRL bundles instead of Puppet::SSL::Host.
QA Risk Assessment: Needs Assessment


Create a state machine for downloading CA and CRL bundles. It should verify each cert and CRL before committing them to disk, eg should be valid X509 objects and signatures should be valid. The state machine should produce an SSLContext initialized with those objects so that subsequent requests are guaranteed to authenticate the server (VERIFY_PEER).

Comment by Kris Bosland [ 2019/03/07 ]

Merged to master at 7bb7651.

Comment by Josh Cooper [ 2019/03/11 ]

Passed CI in ee27e9ed1b

Comment by Josh Cooper [ 2019/03/11 ]

This failed puppetserver CI, in a situation where the host has a cert and key, but no CRL bundle. It isn't an issue for the CA bundle, because Puppet::Application::Agent constructs a Puppet::SSL::Host object, which ends up downloading the CA bundle, but not the CRL bundle.

Comment by Kris Bosland [ 2019/03/13 ]

Update merged into master at 2b4579e.

Comment by Josh Cooper [ 2019/03/14 ]

Passed CI in dd0cf931e139f4edce1efcb8a9f4a79d8e7ca9d9

Generated at Sat Aug 08 08:30:06 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.