As per lutter; augmented fix for #896 to be configurable and defaulting to validate the server certificate, honoring CVE-2007-5162.

2 files changed, 9 insertions, 1 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 5b9b4ea9a..33f3eda91 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -387,6 +387,9 @@ module Puppet
             "The HTTP proxy port to use for outgoing connections"],
         :http_keepalive => [true,
             "Whether to reuse http connections, thus enabling http-keepalive."],
+        :http_enable_post_connection_check => [true,
+            "Boolean; wheter or not puppetd should validate the server
+            SSL certificate against the request hostname."],
         :server => ["puppet",
             "The server to which server puppetd should connect"],
         :ignoreschedules => [false,
diff --git a/lib/puppet/network/xmlrpc/client.rb b/lib/puppet/network/xmlrpc/client.rb
index 371648b61..5283daf5f 100644
--- a/lib/puppet/network/xmlrpc/client.rb
+++ b/lib/puppet/network/xmlrpc/client.rb
@@ -49,6 +49,12 @@ module Puppet::Network
             @http.use_ssl = true
             @http.read_timeout = 120
             @http.open_timeout = 120
+            # JJM Configurable fix for #896.
+            if Puppet[:http_enable_post_connection_check]
+                @http.enable_post_connection_check = true
+            else
+                @http.enable_post_connection_check = false
+            end
 
             @@http_cache[key] = @http if Puppet[:http_keepalive]
 
@@ -147,7 +153,6 @@ module Puppet::Network
                 @http.cert = client.cert
                 @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
                 @http.key = client.key
-                @http.enable_post_connection_check = false
             end
         end