From 1eaf047247f0b7f1c11e701ac2c95582228465be Mon Sep 17 00:00:00 2001 From: Al Tobey Date: Fri, 9 Jul 2010 15:57:33 -0700 Subject: [PATCH 2/2] Add support for "certificate_revocation_shallow". Signed-off-by: Al Tobey --- lib/puppet/defaults.rb | 3 ++- lib/puppet/ssl/host.rb | 9 ++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index caf9757..6a00d3c 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -270,7 +270,8 @@ module Puppet This is distinct from the certificate authority's CRL." }, :certificate_revocation => [true, "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) - to all clients. If enabled, CA chaining will almost definitely not work."] + to all clients. If enabled, CA chaining will almost definitely not work."], + :certificate_revocation_shallow => [false, "Only check the first certificate's CRL rather than all of them."] ) setdefaults(:ca, diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index f4c70d6..fa042d5 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -218,7 +218,14 @@ class Puppet::SSL::Host # If there's a CRL, add it to our store. if crl = Puppet::SSL::CertificateRevocationList.find(CA_NAME) - @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] + Puppet.info "USING CRL: #{crl.content.issuer} Revoked: #{crl.content.revoked}" + if Puppet.settings[:certificate_revocation] + if Puppet.settings[:certificate_revocation_shallow] + @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK + else + @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] + end + end @ssl_store.add_crl(crl.content) end return @ssl_store -- 1.7.1