3 files changed, 10 insertions, 2 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 5b9b4ea9a..33f3eda91 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -387,6 +387,9 @@ module Puppet
             "The HTTP proxy port to use for outgoing connections"],
         :http_keepalive => [true,
             "Whether to reuse http connections, thus enabling http-keepalive."],
+        :http_enable_post_connection_check => [true,
+            "Boolean; wheter or not puppetd should validate the server
+            SSL certificate against the request hostname."],
         :server => ["puppet",
             "The server to which server puppetd should connect"],
         :ignoreschedules => [false,
diff --git a/lib/puppet/network/xmlrpc/client.rb b/lib/puppet/network/xmlrpc/client.rb
index 371648b61..5283daf5f 100644
--- a/lib/puppet/network/xmlrpc/client.rb
+++ b/lib/puppet/network/xmlrpc/client.rb
@@ -49,6 +49,12 @@ module Puppet::Network
             @http.use_ssl = true
             @http.read_timeout = 120
             @http.open_timeout = 120
+            # JJM Configurable fix for #896.
+            if Puppet[:http_enable_post_connection_check]
+                @http.enable_post_connection_check = true
+            else
+                @http.enable_post_connection_check = false
+            end
 
             @@http_cache[key] = @http if Puppet[:http_keepalive]
 
@@ -147,7 +153,6 @@ module Puppet::Network
                 @http.cert = client.cert
                 @http.verify_mode = OpenSSL::SSL::VERIFY_PEER
                 @http.key = client.key
-                @http.enable_post_connection_check = false
             end
         end
 
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index 1139db048..e9d544125 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -61,7 +61,7 @@ module Puppet::SSLCertificates
             key_usage = %w{cRLSign keyCertSign}
         when :server:
             basic_constraint = "CA:FALSE"
-            hash[:dnsnames].each(':') { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
+            hash[:dnsnames].split(':').each { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
             key_usage = %w{digitalSignature keyEncipherment}
             ext_key_usage = %w{serverAuth clientAuth}
         when :ocsp: