Jira (PUP-11045) Ruby 3 reports cert hostname mismatch differently

17 views
Skip to first unread message

Josh Cooper (Jira)

unread,
Apr 29, 2021, 6:17:03 PM4/29/21
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Bug PUP-11045
Ruby 3 reports cert hostname mismatch differently
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2021/04/29 3:16 PM
Priority: Normal Normal
Reporter: Josh Cooper

If ruby-openssl detects the server's hostname is mismatched, it passes preverify_ok=false but sets the X509Store error to V_ERR_OK. See https://github.com/ruby/openssl/issues/244

This was fixed in https://github.com/ruby/openssl/commit/035a04ece237105ba3c91a8db8f81dc81d2dc452 and released in ruby-openssl 2.2.0 which has only been released in Ruby 3.0. As a result, the X509Store error is now correctly set to X509_V_ERR_HOSTNAME_MISMATCH (in openssl 1.1 and up) or X509_V_ERR_CERT_REJECTED. This causes puppet to raise a generic "CertVerifyError" exception instead of the more specific hostname mismatch error.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Josh Cooper (Jira)

unread,
Apr 29, 2021, 6:25:03 PM4/29/21
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Apr 29, 2021, 7:32:04 PM4/29/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Platform Core KANBAN

Josh Cooper (Jira)

unread,
Apr 29, 2021, 7:33:02 PM4/29/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity

Josh Cooper (Jira)

unread,
May 10, 2021, 11:12:02 AM5/10/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Labels: PE-SoS

Josh Cooper (Jira)

unread,
May 10, 2021, 11:12:04 AM5/10/21
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
May 12, 2021, 1:27:02 PM5/12/21
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
May 12, 2021, 1:27:04 PM5/12/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 7.7.0

Josh Cooper (Jira)

unread,
May 12, 2021, 1:27:04 PM5/12/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes: Not Needed
Reply all
Reply to author
Forward
0 new messages