[MediaWiki-commits] [Gerrit] sslcert: fix update-ocsp's non-proxy mode - change (operations/puppet)

Fri, 02 Oct 2015 03:25:43 -0700 

Faidon Liambotis has submitted this change and it was merged.

Change subject: sslcert: fix update-ocsp's non-proxy mode
......................................................................


sslcert: fix update-ocsp's non-proxy mode

update-ocsp already had code to deal with not passing a --proxy argument
but it was impossible to reach with the current argparse config. Fix
this and also add support for passing the Host header so that this works
against e.g. GlobalSign's OCSP servers. While at it, fix a couple of
bugs in the error handling path that probably wasn't previously
exercised until I started poking at it.

Change-Id: I9194227439d7c8f5ff320596aad9bafbbb072cdc
---
M modules/sslcert/files/update-ocsp
1 file changed, 7 insertions(+), 4 deletions(-)

Approvals:
  Faidon Liambotis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/sslcert/files/update-ocsp 
b/modules/sslcert/files/update-ocsp
index fc8786e..f19ce96 100644
--- a/modules/sslcert/files/update-ocsp
+++ b/modules/sslcert/files/update-ocsp
@@ -27,6 +27,7 @@
 import glob
 import tempfile
 import datetime
+import urlparse
 
 
 def file_exists(fname):
@@ -48,8 +49,7 @@
                         help="output filename",
                         required=True)
     parser.add_argument('--proxy', '-p', dest="proxy",
-                        help="HTTP proxy host:port to use for OCSP request",
-                        required=True)
+                        help="HTTP proxy host:port to use for OCSP request")
     parser.add_argument('--ca-certs', '-d', dest="cadir",
                         help="SSL CA certificates directory",
                         default='/etc/ssl/certs')
@@ -73,8 +73,7 @@
     (p_out, p_err) = p.communicate()
     if p.returncode != 0:
         sys.stderr.write("Command %s failed with exit code %i, stderr:\n%s" %
-                         (p.args, p.returncode, p_err))
-        raise
+                         (" ".join(args), p.returncode, p_err))
     return (p_out, p_err)
 
 
@@ -168,8 +167,12 @@
             "-host", proxy,
         ])
     else:
+        # OpenSSL only speaks HTTP/1.0 and sends no Host header. This doesn't
+        # really work in many OCSP servers, so supply the Host header manually.
+        hosthdr = urlparse.urlparse(ocsp_uri).netloc
         cmd.extend([
             "-url", ocsp_uri,
+            "-header", "Host", hosthdr,
         ])
 
     for cert in certs:

-- 
To view, visit https://gerrit.wikimedia.org/r/243133
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9194227439d7c8f5ff320596aad9bafbbb072cdc
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to