[Puppet - Feature #3169] (Unreviewed) Add more debugging to SSL Cert verification

Mon, 08 Feb 2010 17:03:12 -0800 

Issue #3169 has been reported by Nicholas Veeser.

----------------------------------------
Feature #3169: Add more debugging to SSL Cert verification
http://projects.reductivelabs.com/issues/3169

Author: Nicholas Veeser
Status: Unreviewed
Priority: Normal
Assigned to: 
Category: SSL
Target version: 
Affected version: 0.25.3
Keywords: 
Branch: 


I spent several days on this. 
OpenSSL is not very informative when the certificate verification fails during 
SSL negotiation

The error I was getting back was:
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 
'eval_generate': certificate verify failed

To understand what was really happening I dug around and ended up adding the 
following
in puppet/network/http_pool.rb:

Puppet::Network::HttpPool
   ...
    def self.cert_setup(http)
        # Just no-op if we don't have certs.                                    
                                                                                
                             
        return false unless FileTest.exist?(Puppet[:hostcert]) and 
FileTest.exist?(Puppet[:localcacert])

        http.cert_store = ssl_host.ssl_store
        http.ca_file = Puppet[:localcacert]
        http.cert = ssl_host.certificate.content
        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
        http.key = ssl_host.key.content
+        if Puppet[:debug]
+            http.verify_callback = self.method(:ssl_verify_callback).to_proc   
             
+        end
+    end
+
+    def self.ssl_verify_callback(peer_ok, x509_store_ctx) 
+        if not peer_ok
+            Puppet.debug "OpenSSL: Error(#{x509_store_ctx.error}): 
#{x509_store_ctx.error_string}" 
+            Puppet.debug "OpenSSL: Cert: 
#{x509_store_ctx.current_cert.issuer}"                                        
+            Puppet.debug "OpenSSL: Current CRL: #{x509_store_ctx.current_crl}"
+            Puppet.debug "OpenSSL: Chain:"
+            x509_store_ctx.chain.each_index { |i| Puppet.debug "OpenSSL: 
\t#{i} #{x509_store_ctx.chain[i].issuer}" }
+        end
+        peer_ok
     end



This gave more more detailed information (ie the CRL was missing)


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://reductivelabs.com/redmine/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to