diff options
| author | Luke Kanies <luke@madstop.com> | 2008-05-05 21:00:29 -0500 |
|---|---|---|
| committer | Luke Kanies <luke@madstop.com> | 2008-05-05 21:00:29 -0500 |
| commit | 160f9d99e33b051d40f00971683cf54a0ff00c32 (patch) | |
| tree | 50f5a7e2e40482289f84175036a42874fad26dac /lib/puppet/network | |
| parent | ce6d5787aaefc4c980e51c394328c2ddc2f7cb9c (diff) | |
Fixing a critical problem in how CRLs were saved and moving SSL Store responsibilities to the SSL::Host class.
I was previously saving invalid CRLs unless they'd had a revocation
done in them; this commit fixes them so that they're always valid.
Also, I've added to SSL::Host the ability to generate a valid
SSL Store, suitable for validation. This is now used by
Webrick and can be used by the http clients, too.
This should have been two commits, but I'm kind of down the
rabbit hole ATM.
Diffstat (limited to 'lib/puppet/network')
| -rw-r--r-- | lib/puppet/network/http/webrick.rb | 18 |
1 files changed, 2 insertions, 16 deletions
diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb index 9bcf9958f..30085ec47 100644 --- a/lib/puppet/network/http/webrick.rb +++ b/lib/puppet/network/http/webrick.rb @@ -93,7 +93,7 @@ class Puppet::Network::HTTP::WEBrick host.generate unless host.key - raise Puppet::Error, "Could not retrieve certificate for %s" % host.name unless host.certificate + raise Puppet::Error, "Could not retrieve certificate for %s and not running on a valid certificate authority" % host.name unless host.certificate results[:SSLPrivateKey] = host.key.content results[:SSLCertificate] = host.certificate.content @@ -107,25 +107,11 @@ class Puppet::Network::HTTP::WEBrick results[:SSLCACertificateFile] = Puppet[:localcacert] results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER - results[:SSLCertificateStore] = setup_ssl_store if Puppet[:crl] + results[:SSLCertificateStore] = host.ssl_store if Puppet[:crl] results end - # Create our Certificate revocation list - def setup_ssl_store - unless crl = Puppet::SSL::CertificateRevocationList.find("ca") - raise Puppet::Error, "Could not find CRL; set 'crl' to 'false' to disable CRL usage" - end - store = OpenSSL::X509::Store.new - store.purpose = OpenSSL::X509::PURPOSE_ANY - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK - - store.add_file(Puppet[:localcacert]) - store.add_crl(crl.content) - return store - end - private def setup_handlers |