(maint) ruby-openssl now sets store_context.error

Ruby now correctly sets the store_context.error when the cert is mismatched[1], [2]. So in that case raise the expected CertMismatchError. [1] ruby/openssl#244 [2] https://github.com/ruby/ruby-openssl/commit/74ef8c0cc56b840b772240f2ee2b0fc0aafa2743
joshcooper · Dec 1, 2021 · 4ad837f · 4ad837f
1 parent d1bad44
commit 4ad837f
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/lib/puppet/ssl/verifier.rb b/lib/puppet/ssl/verifier.rb
@@ -115,6 +115,12 @@ def call(preverify_ok, store_context)
         return false
       end
 
+    # ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
+    # store_context error when the cert is mismatched
+    when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
+      @last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
+      return false
+
     when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
       crl = store_context.current_crl
       if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS