Jira (PUP-10144) Add SSLProvider#create_system_context method

16 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Nov 18, 2019, 6:07:03 PM11/18/19
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Task PUP-10144
Add SSLProvider#create_system_context method
Issue Type: Task Task
Assignee: Unassigned
Created: 2019/11/18 3:06 PM
Priority: Normal Normal
Reporter: Josh Cooper

Add a method to Puppet::SSL::SSLProvider for loading a system ssl context. This will be needed in order to retrieve file content from HTTPS servers whose certs are not signed by Puppet, but by well known CAs like VeriSign.

The method should require a cacerts argument containing an array of {{OpenSSL::X509::Certificate}}s. It's ok if the array is empty, but should raise ArgumentError if nil.

The method should return a Puppet::SSL::SSLContext:

  • The context's store should have VERIFY_PEER set
  • Each cacert should be added to the store.
  • The set_default_paths method should be called on the store.
  • Revocation should be disabled.
  • The private key and client cert should be nil
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Nov 18, 2019, 7:54:04 PM11/18/19
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (JIRA)

unread,
Nov 19, 2019, 12:30:04 PM11/19/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (JIRA)

unread,
Nov 19, 2019, 12:31:04 PM11/19/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Add a method to {{Puppet::SSL::SSLProvider}} for loading a system ssl context. This will be needed in order to retrieve file content from HTTPS servers whose certs are not signed by Puppet, but by well known CAs like VeriSign.

The method should require a {{cacerts}} argument containing an array of {{OpenSSL::X509::Certificate}} s . It's ok if the array is empty, but should raise ArgumentError if nil.


The method should return a {{Puppet::SSL::SSLContext}}:

* The context's store should have VERIFY_PEER set
* Each {{cacert}} should be added to the store.
* The {{set_default_paths}} method should be called on the store.
* Revocation should be disabled.
* The private key and client cert should be nil

Josh Cooper (JIRA)

unread,
Nov 19, 2019, 3:54:04 PM11/19/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.12.0

Melissa Stone (JIRA)

unread,
Dec 3, 2019, 12:57:04 PM12/3/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Dec 4, 2019, 12:37:04 AM12/4/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Not Needed

Josh Cooper (JIRA)

unread,
Dec 4, 2019, 12:38:03 AM12/4/19
to puppe...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages