From 92144000683cf596693596bf653bbd7e089976ef Mon Sep 17 00:00:00 2001
From: Luke Kanies <luke@puppetlabs.com>
Date: Tue, 11 May 2010 22:01:10 -0700
Subject: WIP - trying to fix #3460

Signed-off-by: Luke Kanies <luke@puppetlabs.com>

Conflicts:

	lib/puppet/ssl/host.rb
---
 lib/puppet/defaults.rb                    | 4 +++-
 lib/puppet/network/http_server/webrick.rb | 2 +-
 lib/puppet/ssl/certificate_authority.rb   | 2 +-
 lib/puppet/ssl/host.rb                    | 1 +
 4 files changed, 6 insertions(+), 3 deletions(-)

(limited to 'lib')

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 4440fceaa..e446a2321 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -291,7 +291,9 @@ module Puppet
             :owner => "service",
             :desc => "Where the host's certificate revocation list can be found.
                 This is distinct from the certificate authority's CRL."
-        }
+        },
+        :certificate_revocation => [true, "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL)
+            to all clients.  If enabled, CA chaining will almost definitely not work."]
     )
 
     setdefaults(:ca,
diff --git a/lib/puppet/network/http_server/webrick.rb b/lib/puppet/network/http_server/webrick.rb
index 2dae9ccd8..051a35234 100644
--- a/lib/puppet/network/http_server/webrick.rb
+++ b/lib/puppet/network/http_server/webrick.rb
@@ -28,7 +28,7 @@ module Puppet
                 crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl]))
                 store = OpenSSL::X509::Store.new
                 store.purpose = OpenSSL::X509::PURPOSE_ANY
-                store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+                store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
                 unless self.ca_cert
                     raise Puppet::Error, "Could not find CA certificate"
                 end
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 10d13c28e..4ae8d78e7 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -284,7 +284,7 @@ class Puppet::SSL::CertificateAuthority
         store.add_file Puppet[:cacert]
         store.add_crl crl.content if self.crl
         store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
-        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
 
         unless store.verify(cert.content)
             raise CertificateVerificationError.new(store.error), store.error_string
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 9d016c86a..ed39db235 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -214,6 +214,7 @@ class Puppet::SSL::Host
             # If there's a CRL, add it to our store.
             if crl = Puppet::SSL::CertificateRevocationList.find("ca")
                 @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+                @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
                 @ssl_store.add_crl(crl.content)
             end
             return @ssl_store
-- 
cgit