[Pkg-puppet-devel] [SCM] Puppet packaging for Debian branch, upstream, updated. 0.25.4-89-gcbbd363
James Turnbull
james at lovedthanlost.net
Tue May 18 09:04:55 UTC 2010
The following commit has been merged in the upstream branch:
commit 92144000683cf596693596bf653bbd7e089976ef
Author: Luke Kanies <luke at puppetlabs.com>
Date: Tue May 11 22:01:10 2010 -0700
WIP - trying to fix #3460
Signed-off-by: Luke Kanies <luke at puppetlabs.com>
Conflicts:
lib/puppet/ssl/host.rb
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 4440fce..e446a23 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -291,7 +291,9 @@ module Puppet
:owner => "service",
:desc => "Where the host's certificate revocation list can be found.
This is distinct from the certificate authority's CRL."
- }
+ },
+ :certificate_revocation => [true, "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL)
+ to all clients. If enabled, CA chaining will almost definitely not work."]
)
setdefaults(:ca,
diff --git a/lib/puppet/network/http_server/webrick.rb b/lib/puppet/network/http_server/webrick.rb
index 2dae9cc..051a352 100644
--- a/lib/puppet/network/http_server/webrick.rb
+++ b/lib/puppet/network/http_server/webrick.rb
@@ -28,7 +28,7 @@ module Puppet
crl = OpenSSL::X509::CRL.new(File.read(Puppet[:cacrl]))
store = OpenSSL::X509::Store.new
store.purpose = OpenSSL::X509::PURPOSE_ANY
- store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+ store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
unless self.ca_cert
raise Puppet::Error, "Could not find CA certificate"
end
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 10d13c2..4ae8d78 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -284,7 +284,7 @@ class Puppet::SSL::CertificateAuthority
store.add_file Puppet[:cacert]
store.add_crl crl.content if self.crl
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
- store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+ store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
unless store.verify(cert.content)
raise CertificateVerificationError.new(store.error), store.error_string
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 9d016c8..ed39db2 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -214,6 +214,7 @@ class Puppet::SSL::Host
# If there's a CRL, add it to our store.
if crl = Puppet::SSL::CertificateRevocationList.find("ca")
@ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+ @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
@ssl_store.add_crl(crl.content)
end
return @ssl_store
diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb
index e97035d..80bb7b4 100755
--- a/spec/integration/defaults.rb
+++ b/spec/integration/defaults.rb
@@ -223,4 +223,8 @@ describe "Puppet defaults" do
it "should have a 'postrun_command' that defaults to the empty string" do
Puppet.settings[:postrun_command].should == ""
end
+
+ it "should have a 'certificate_revocation' setting that defaults to true" do
+ Puppet.settings[:certificate_revocation].should be_true
+ end
end
--
Puppet packaging for Debian
More information about the Pkg-puppet-devel
mailing list