Jira (PUP-5069) Puppet HTTP connection code does not allow callers to trust system cacerts

0 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Aug 24, 2015, 2:16:04 PM8/24/15
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Bug PUP-5069
Puppet HTTP connection code does not allow callers to trust system cacerts
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2015/08/24 11:15 AM
Priority: Normal Normal
Reporter: Josh Cooper

Puppet's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the Net::HTTP#store and call OpenSSL::X509::Store#set_default_paths, but this is not currently possible.

The PMT works around this by rolling its own Net::HTTP object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c)
Atlassian logo

Josh Cooper (JIRA)

unread,
Aug 24, 2015, 2:17:02 PM8/24/15
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Puppet's HTTP API does not allow callers to trust system cacerts
Change By: Josh Cooper
Summary: Puppet 's  HTTP  connection code  API  does not allow callers to trust system cacerts

William Hopper (JIRA)

unread,
Apr 20, 2016, 7:54:03 PM4/20/16
to puppe...@googlegroups.com
William Hopper updated an issue
Change By: William Hopper
Story Points: 2 3
This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9)
Atlassian logo

Adrien Thebo (JIRA)

unread,
Mar 1, 2017, 4:16:08 PM3/1/17
to puppe...@googlegroups.com
Adrien Thebo updated an issue
Change By: Adrien Thebo
Labels: ssl
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Branan Riley (JIRA)

unread,
May 15, 2017, 2:30:03 PM5/15/17
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Story Points: 3

Branan Riley (JIRA)

unread,
May 15, 2017, 2:30:04 PM5/15/17
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: ssl  triaged

Branan Riley (JIRA)

unread,
May 15, 2017, 2:30:04 PM5/15/17
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Team: Agent

Josh Cooper (JIRA)

unread,
Mar 15, 2018, 8:14:04 PM3/15/18
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sub-team: Coremunity
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Aug 8, 2019, 5:58:06 PM8/8/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
underlined textPuppet Puppet 's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the {{Net::HTTP#store}} and call {{OpenSSL::X509::Store#set_default_paths}}, but this is not currently possible.


The PMT works around this by rolling its own {{Net::HTTP}} object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.

Josh Cooper (JIRA)

unread,
Aug 8, 2019, 5:58:06 PM8/8/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Puppet underlined textPuppet 's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the {{Net::HTTP#store}} and call {{OpenSSL::X509::Store#set_default_paths}}, but this is not currently possible.


The PMT works around this by rolling its own {{Net::HTTP}} object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.

Rob Braden (JIRA)

unread,
Feb 3, 2020, 1:05:03 PM2/3/20
to puppe...@googlegroups.com
Rob Braden updated an issue
Change By: Rob Braden
Sprint: Coremunity Hopper

Josh Cooper (JIRA)

unread,
Feb 5, 2020, 12:23:04 PM2/5/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Puppet's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the {{Net::HTTP#store}} and call {{OpenSSL::X509::Store#set_default_paths}}, but this is not currently possible.


The PMT works around this by rolling its own {{Net::HTTP}} object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.


Next Steps:

1. Update puppet, report and fileserver http services to accept an optional {{trust_system_store}} argument which defaults to false.
2. Remove the {{ssl_context}} argument from the same set of services. Note the ca server needs to remain as-is, because the agent needs to pass in an {{ssl_context}} during ssl bootstrapping.
3. Update the HTTP client get, post, etc methods to accept either {{trust_system_store}} or {{ssl_context}} but not both.
4. Add a {{Puppet::HTTP::Client#system_ssl_context}} method that calls {{Puppet::SSL::SSLProvider.create_system_context}} and memoizes it
5. If {{trust_system_store}} is true, then {{Puppet::HTTP::Client#get}} (etc) should use the {{system_ssl_context}} for that connection.

Acceptance Criteria:

1. The client should be able to connect to well-known servers like github.com, whose SSL cert is not issued by the puppet PKI.
2. The client should not perform revocation checking, since the CA cert won't be in puppet's CRL bundle.
3. A connection created with the system_ssl_context should not be reused when making a connection to puppet infrastructure (using the puppet_ssl_context) and vice-versa. This can be verified looking at the http_debug log and seeing when new connections are started vs reused.

Josh Cooper (JIRA)

unread,
Feb 10, 2020, 12:22:05 PM2/10/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.14.0

Josh Cooper (JIRA)

unread,
Feb 25, 2020, 10:02:04 PM2/25/20
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (JIRA)

unread,
Feb 25, 2020, 10:02:04 PM2/25/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Hopper Platform Core KANBAN

Josh Cooper (Jira)

unread,
Feb 28, 2020, 4:30:04 PM2/28/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Puppet's HTTP connection code does not allow callers to specify that they want to trust the default set of cacerts. To do so, you need to get access to the {{Net::HTTP#store}} and call {{OpenSSL::X509::Store#set_default_paths}}, but this is not currently possible.

The PMT works around this by rolling its own {{Net::HTTP}} object, leading to duplicate proxy handling logic. It would be nice to DRY this up, but to do so, our HTTP code needs to provide a way for callers to trust the system's cacerts. This would also be useful for providers that need to make network connections, and not rely on open-uri to do so.

Next Steps:

1. Update puppet, report and fileserver http services to accept an optional {{ trust_system_store include_system_store }} argument which defaults to false.

2. Remove the {{ssl_context}} argument from the same set of services. Note the ca server needs to remain as-is, because the agent needs to pass in an {{ssl_context}} during ssl bootstrapping.
3. Update the HTTP client get, post, etc methods to accept either {{ trust_system_store include_system_store }} or {{ssl_context}} but not both.

4. Add a {{Puppet::HTTP::Client#system_ssl_context}} method that calls {{Puppet::SSL::SSLProvider.create_system_context}} and memoizes it
5. If {{ trust_system_store include_system_store }} is true, then {{Puppet::HTTP::Client#get}} (etc) should use the {{system_ssl_context}} for that connection.


Acceptance Criteria:

1. The client should be able to connect to well-known servers like github.com, whose SSL cert is not issued by the puppet PKI.
2. The client should not perform revocation checking, since the CA cert won't be in puppet's CRL bundle.
3. A connection created with the system_ssl_context should not be reused when making a connection to puppet infrastructure (using the puppet_ssl_context) and vice-versa. This can be verified looking at the http_debug log and seeing when new connections are started vs reused.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Feb 28, 2020, 4:31:03 PM2/28/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-5069
 
Re: Puppet's HTTP API does not allow callers to trust system cacerts

Changed trust_system_store to include_system_store

Melissa Stone (Jira)

unread,
Mar 4, 2020, 1:03:04 PM3/4/20
to puppe...@googlegroups.com
Melissa Stone commented on Bug PUP-5069

Josh Cooper (Jira)

unread,
Mar 4, 2020, 1:46:04 PM3/4/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Enhancement
Release Notes Summary: The HTTP client now accepts a parameter to trust the system certificate store when making HTTPS connections. By default, it only trusts the puppet PKI. The API is private and may change in a future release.
Reply all
Reply to author
Forward
0 new messages