Bug#924005: client certificate verification regression with puppetdb

[Markus Koschany]

Control: severity -1 normal

On Fri, 8 Mar 2019 09:59:14 +0100 "=?UTF-8?Q?Stefan_B=c3=bchler?="
<stefan.buehler at tik.uni-stuttgart.de> wrote:
> Package: jetty9
> Version: 9.4.15-1
> Severity: important
> 
> Hi.
> 
> The update (libjetty9-java and libjetty9-extra-java) to 9.4.15-1 broke 
> our puppetdb setup; a downgrade to 9.4.14-1 fixes the issue.
> 
> I can't see any (new/useful/related) error message in the puppetdb log.
> 
> The error message from our puppetmaster is:
> 
> Error connecting to puppet-db.XXX on 8081 at route /pdb/cmd/v1?..., error
message received was 'SSL_connect returned=1 errno=0 state=error: sslv3 alert
certificate unknown'. Failing over to the next PuppetDB server_url in the
'server_urls' list

[...]

As Manfred Stock in this bug report has already mentioned, the breakage was
caused by a change in Jetty 9.4.15 which disabled Endpoint Identification by
default and the switch to HTTPS. This apparently caused a problem with Puppet.
To me it seems this is merely a configuration problem on the Puppet side and a
workaround exists. I leave this bug report open for future reference but I feel
there is nothing what we can do to improve the situation in Buster from the
Jetty point of view.

Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20211018/efddd752/attachment.sig>