Skip to content

Commit

Permalink
(maint) ruby-openssl now sets store_context.error
Browse files Browse the repository at this point in the history
Ruby now correctly sets the store_context.error when the cert is mismatched[1], [2]. So
in that case raise the expected CertMismatchError.

We also have to monkey patch the ruby constant, which was only recently added to
match openssl 1.1[3].

[1] ruby/openssl#244
[2] ruby/openssl@74ef8c0
[3] ruby/openssl@65ea09c
  • Loading branch information
joshcooper committed Dec 1, 2021
1 parent d1bad44 commit 838f9e0
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
6 changes: 6 additions & 0 deletions lib/puppet/ssl/verifier.rb
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,12 @@ def call(preverify_ok, store_context)
return false
end

# ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
# store_context error when the cert is mismatched
when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
@last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
return false

when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
crl = store_context.current_crl
if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
Expand Down
6 changes: 6 additions & 0 deletions lib/puppet/util/monkey_patches.rb
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ module OpenSSL::SSL
end
end

unless defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH)
module OpenSSL::X509
OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH = 0x3E
end
end

class OpenSSL::SSL::SSLContext
if DEFAULT_PARAMS[:options]
DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
Expand Down

0 comments on commit 838f9e0

Please sign in to comment.