diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/defaults.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/network/http_server/webrick.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 1 |
4 files changed, 6 insertions, 3 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 4440fceaa..e446a2321 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -291,7 +291,9 @@ module Puppet :owner => "service", :desc => "Where the host's certificate revocation list can be found. This is distinct from the certificate authority's CRL." - } + }, + :certificate_revocation => [true, "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) + to all clients. If enabled, CA chaining will almost definitely not work."] ) setdefaults(:ca, diff --git a/lib/puppet/network/http_server/webrick.rb b/lib/puppet/network/http_server/webrick.rb index 2dae9ccd8..051a35234 100644 --- a/lib/puppet/network/http_server/webrick.rb +++ b/lib/puppet/network/http_server/webrick.rb @@ -28,7 +28,7 @@ module Puppet crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl])) store = OpenSSL::X509::Store.new store.purpose = OpenSSL::X509::PURPOSE_ANY - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] unless self.ca_cert raise Puppet::Error, "Could not find CA certificate" end diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 10d13c28e..4ae8d78e7 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -284,7 +284,7 @@ class Puppet::SSL::CertificateAuthority store.add_file Puppet[:cacert] store.add_crl crl.content if self.crl store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] unless store.verify(cert.content) raise CertificateVerificationError.new(store.error), store.error_string diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 9d016c86a..ed39db235 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -214,6 +214,7 @@ class Puppet::SSL::Host # If there's a CRL, add it to our store. if crl = Puppet::SSL::CertificateRevocationList.find("ca") @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] @ssl_store.add_crl(crl.content) end return @ssl_store |