Faidon Liambotis has submitted this change and it was merged. Change subject: sslcert: fix update-ocsp's non-proxy mode ......................................................................
sslcert: fix update-ocsp's non-proxy mode update-ocsp already had code to deal with not passing a --proxy argument but it was impossible to reach with the current argparse config. Fix this and also add support for passing the Host header so that this works against e.g. GlobalSign's OCSP servers. While at it, fix a couple of bugs in the error handling path that probably wasn't previously exercised until I started poking at it. Change-Id: I9194227439d7c8f5ff320596aad9bafbbb072cdc --- M modules/sslcert/files/update-ocsp 1 file changed, 7 insertions(+), 4 deletions(-) Approvals: Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/sslcert/files/update-ocsp b/modules/sslcert/files/update-ocsp index fc8786e..f19ce96 100644 --- a/modules/sslcert/files/update-ocsp +++ b/modules/sslcert/files/update-ocsp @@ -27,6 +27,7 @@ import glob import tempfile import datetime +import urlparse def file_exists(fname): @@ -48,8 +49,7 @@ help="output filename", required=True) parser.add_argument('--proxy', '-p', dest="proxy", - help="HTTP proxy host:port to use for OCSP request", - required=True) + help="HTTP proxy host:port to use for OCSP request") parser.add_argument('--ca-certs', '-d', dest="cadir", help="SSL CA certificates directory", default='/etc/ssl/certs') @@ -73,8 +73,7 @@ (p_out, p_err) = p.communicate() if p.returncode != 0: sys.stderr.write("Command %s failed with exit code %i, stderr:\n%s" % - (p.args, p.returncode, p_err)) - raise + (" ".join(args), p.returncode, p_err)) return (p_out, p_err) @@ -168,8 +167,12 @@ "-host", proxy, ]) else: + # OpenSSL only speaks HTTP/1.0 and sends no Host header. This doesn't + # really work in many OCSP servers, so supply the Host header manually. + hosthdr = urlparse.urlparse(ocsp_uri).netloc cmd.extend([ "-url", ocsp_uri, + "-header", "Host", hosthdr, ]) for cert in certs: -- To view, visit https://gerrit.wikimedia.org/r/243133 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I9194227439d7c8f5ff320596aad9bafbbb072cdc Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits