Issue #20027 has been reported by Jeff McCune. ---------------------------------------- Bug #20027: Puppet ssl_client_ca_auth setting does not behave as documented https://projects.puppetlabs.com/issues/20027
* Author: Jeff McCune * Status: Accepted * Priority: Normal * Assignee: * Category: SSL * Target version: 3.2.0 * Affected Puppet version: 3.0.0 * Keywords: chaining chain ssl external ca certificate authorization ssl_client_ca_auth * Branch: ---------------------------------------- # Overview In Puppet 3.1.1, the `ssl_client_ca_auth` setting does not affect the behavior of Puppet in the manner described. Specifically, the intent of this setting is, "SSL servers will not be considered authentic unless they posses a certificate issued by an authority listed in this file." # Expected behavior When the Puppet agent connects to a master using a SSL certificate that is issued by a CA not listed in this file but is chained to the CA root listed in `localcacert`, the agent refuses to connect with a clear reason why. # Actual behavior The agent happily connects to the master presenting a SSL cert not issued by a CA listed in the file. # Steps to reproduce There is (or will be) an automated acceptance test for this issue at <https://github.com/puppetlabs/puppet/pull/1572/files>. The manual process is as follows: 1: Create a self-signed Root CA. 2: Create an intermediate CA issued by the Root CA, named "For the agents" 3: Create a second intermediate CA issued by the Root CA, named "For the masters" 4: Issue an SSL certificate for "master1.example.org" from the CA for the agents. 5: Issue an SSL certificate for "master1.example.org" from the CA for the masters. 6: Configure an Apache virtual host on 8140 using the SSL certificates issued by "For the masters" This is the "good" one. 7: Configure another Apache virtual host on 8141 that is identical to 8140 with the only difference being the use of the cert issued by the "For the agents" CA. This is the "rogue" master that is using an agent certificate. 8: Place the "For the masters" CA certificate in a file that is different from the `localcacert` file and configure `ssl_client_ca_auth` to point at this file. When the agent connects to 8140, it should proceed since this master has a certificate issued by a CA listed in the `ssl_client_ca_auth` file. When the agent connects to 8141 it should refuse to continue since this master does not have a certificate issued by a CA listed in the `ssl_client_ca_auth` file. Observe that the agent happily connects to both without error because both servers provide a valid chain of certificates leading to the trusted Root CA. # Impact data This option was added to Puppet 3 in an effort to partially address #3120 and make it easier to fully address in later versions. Since the option has no effect the original problem of trusting "all or nothing" remains when using CA chaining. -Jeff -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.