diff options
| author | Luke Kanies <luke@puppetlabs.com> | 2010-05-11 22:01:10 -0700 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2010-05-14 16:20:11 +1000 |
| commit | 92144000683cf596693596bf653bbd7e089976ef (patch) | |
| tree | 0f4d6f0092f2b77c3d00f1d8345ecfb19033f1b1 | |
| parent | 9d3e98b8cb2b980b61f3cd17af471f2e9d04841f (diff) | |
| download | puppet-92144000683cf596693596bf653bbd7e089976ef.tar.gz puppet-92144000683cf596693596bf653bbd7e089976ef.tar.xz puppet-92144000683cf596693596bf653bbd7e089976ef.zip | |
WIP - trying to fix #3460
Signed-off-by: Luke Kanies <luke@puppetlabs.com>
Conflicts:
lib/puppet/ssl/host.rb
| -rw-r--r-- | lib/puppet/defaults.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/network/http_server/webrick.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 1 | ||||
| -rwxr-xr-x | spec/integration/defaults.rb | 4 |
5 files changed, 10 insertions, 3 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 4440fceaa..e446a2321 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -291,7 +291,9 @@ module Puppet :owner => "service", :desc => "Where the host's certificate revocation list can be found. This is distinct from the certificate authority's CRL." - } + }, + :certificate_revocation => [true, "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) + to all clients. If enabled, CA chaining will almost definitely not work."] ) setdefaults(:ca, diff --git a/lib/puppet/network/http_server/webrick.rb b/lib/puppet/network/http_server/webrick.rb index 2dae9ccd8..051a35234 100644 --- a/lib/puppet/network/http_server/webrick.rb +++ b/lib/puppet/network/http_server/webrick.rb @@ -28,7 +28,7 @@ module Puppet crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl])) store = OpenSSL::X509::Store.new store.purpose = OpenSSL::X509::PURPOSE_ANY - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] unless self.ca_cert raise Puppet::Error, "Could not find CA certificate" end diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 10d13c28e..4ae8d78e7 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -284,7 +284,7 @@ class Puppet::SSL::CertificateAuthority store.add_file Puppet[:cacert] store.add_crl crl.content if self.crl store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] unless store.verify(cert.content) raise CertificateVerificationError.new(store.error), store.error_string diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 9d016c86a..ed39db235 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -214,6 +214,7 @@ class Puppet::SSL::Host # If there's a CRL, add it to our store. if crl = Puppet::SSL::CertificateRevocationList.find("ca") @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] @ssl_store.add_crl(crl.content) end return @ssl_store diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb index e97035dea..80bb7b45e 100755 --- a/spec/integration/defaults.rb +++ b/spec/integration/defaults.rb @@ -223,4 +223,8 @@ describe "Puppet defaults" do it "should have a 'postrun_command' that defaults to the empty string" do Puppet.settings[:postrun_command].should == "" end + + it "should have a 'certificate_revocation' setting that defaults to true" do + Puppet.settings[:certificate_revocation].should be_true + end end |