Merge branch 'master' of git://reductivelabs.com/puppet into routing

6 files changed, 25 insertions, 3 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 04fb18791..d102a5116 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+    http_enable_post_connection_check added as a configuration
+    option for puppetd.  This defaults to true, which validates the server
+    SSL certificate against the requested host name in new versions of ruby.
+    See #896 for more information.
+
     Mounts no longer remount swap filesystems.
 
     Slightly modifying how services manage their list of paths
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 5b9b4ea9a..33f3eda91 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -387,6 +387,9 @@ module Puppet
             "The HTTP proxy port to use for outgoing connections"],
         :http_keepalive => [true,
             "Whether to reuse http connections, thus enabling http-keepalive."],
+        :http_enable_post_connection_check => [true,
+            "Boolean; wheter or not puppetd should validate the server
+            SSL certificate against the request hostname."],
         :server => ["puppet",
             "The server to which server puppetd should connect"],
         :ignoreschedules => [false,
diff --git a/lib/puppet/network/xmlrpc/client.rb b/lib/puppet/network/xmlrpc/client.rb
index 371648b61..5283daf5f 100644
--- a/lib/puppet/network/xmlrpc/client.rb
+++ b/lib/puppet/network/xmlrpc/client.rb
@@ -49,6 +49,12 @@ module Puppet::Network
             @http.use_ssl = true
             @http.read_timeout = 120
             @http.open_timeout = 120
+            # JJM Configurable fix for #896.
+            if Puppet[:http_enable_post_connection_check]
+                @http.enable_post_connection_check = true
+            else
+                @http.enable_post_connection_check = false
+            end
 
             @@http_cache[key] = @http if Puppet[:http_keepalive]
 
@@ -147,7 +153,6 @@ module Puppet::Network
                 @http.cert = client.cert
                 @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
                 @http.key = client.key
-                @http.enable_post_connection_check = false
             end
         end
 
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index 1139db048..e9d544125 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -61,7 +61,7 @@ module Puppet::SSLCertificates
             key_usage = %w{cRLSign keyCertSign}
         when :server:
             basic_constraint = "CA:FALSE"
-            hash[:dnsnames].each(':') { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
+            hash[:dnsnames].split(':').each { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
             key_usage = %w{digitalSignature keyEncipherment}
             ext_key_usage = %w{serverAuth clientAuth}
         when :ocsp:
diff --git a/spec/unit/network/xmlrpc/client.rb b/spec/unit/network/xmlrpc/client.rb
index b6ab4b367..78fe82719 100755
--- a/spec/unit/network/xmlrpc/client.rb
+++ b/spec/unit/network/xmlrpc/client.rb
@@ -25,6 +25,16 @@ describe Puppet::Network::XMLRPCClient, " when managing http instances" do
         Puppet::Network::XMLRPCClient.http_instance("me", 54321).open_timeout.should == 120
     end
 
+    it "should default to http_enable_post_connection_check being enabled" do
+        Puppet.settings[:http_enable_post_connection_check].should be_true
+    end
+
+    # JJM: I'm not sure if this is correct, as this really follows the
+    # configuration option.
+    it "should set enable_post_connection_check true " do
+        Puppet::Network::XMLRPCClient.http_instance("me", 54321).instance_variable_get("@enable_post_connection_check").should be_true
+    end
+
     it "should create the http instance with the proxy host and port set if the http_proxy is not set to 'none'" do
         Puppet.settings.stubs(:value).with(:http_keepalive).returns(true)
         Puppet.settings.stubs(:value).with(:http_proxy_host).returns("myhost")
diff --git a/test/network/xmlrpc/client.rb b/test/network/xmlrpc/client.rb
index 597ee88cf..f6d234324 100755
--- a/test/network/xmlrpc/client.rb
+++ b/test/network/xmlrpc/client.rb
@@ -72,7 +72,6 @@ class TestXMLRPCClient < Test::Unit::TestCase
         http.expects(:cert=).with(:ccert)
         http.expects(:key=).with(:ckey)
         http.expects(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
-        http.expects(:enable_post_connection_check=).with(false)
         http.expects(:cert_store=)
 
         assert_nothing_raised do