diff options
| -rw-r--r-- | lib/puppet/defaults.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/network/http_server/webrick.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 1 | ||||
| -rwxr-xr-x | spec/integration/defaults.rb | 4 |
5 files changed, 10 insertions, 3 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 66f038307..2e3888298 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -293,7 +293,9 @@ module Puppet :owner => "service", :desc => "Where the host's certificate revocation list can be found. This is distinct from the certificate authority's CRL." - } + }, + :certificate_revocation => [true, "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) + to all clients. If enabled, CA chaining will almost definitely not work."] ) setdefaults(:ca, diff --git a/lib/puppet/network/http_server/webrick.rb b/lib/puppet/network/http_server/webrick.rb index 2dae9ccd8..051a35234 100644 --- a/lib/puppet/network/http_server/webrick.rb +++ b/lib/puppet/network/http_server/webrick.rb @@ -28,7 +28,7 @@ module Puppet crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl])) store = OpenSSL::X509::Store.new store.purpose = OpenSSL::X509::PURPOSE_ANY - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] unless self.ca_cert raise Puppet::Error, "Could not find CA certificate" end diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 9fe67cc8a..111b72009 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -284,7 +284,7 @@ class Puppet::SSL::CertificateAuthority store.add_file Puppet[:cacert] store.add_crl crl.content if self.crl store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] unless store.verify(cert.content) raise CertificateVerificationError.new(store.error), store.error_string diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 281a2b612..958408359 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -214,6 +214,7 @@ class Puppet::SSL::Host # If there's a CRL, add it to our store. if crl = Puppet::SSL::CertificateRevocationList.find(CA_NAME) @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] @ssl_store.add_crl(crl.content) end return @ssl_store diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb index 8cbf5e46b..621b5be16 100755 --- a/spec/integration/defaults.rb +++ b/spec/integration/defaults.rb @@ -236,4 +236,8 @@ describe "Puppet defaults" do it "should have a 'postrun_command' that defaults to the empty string" do Puppet.settings[:postrun_command].should == "" end + + it "should have a 'certificate_revocation' setting that defaults to true" do + Puppet.settings[:certificate_revocation].should be_true + end end |