(PUP-2533) Apache 2.4 requires explicit CRL configuration

In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
directives were specified then the specified file(s) would be checked
when establishing an SSL connection. Apache 2.4+ the
SSLCARevocationCheck directive was added to control how CRLs were
checked when verifying a connection and had a default value of none.
This means that Apache defaults to ignoring CRLs even if paths are
specified to CRL files.

This commit updates the debian postinst script for the
puppetmaster-passenger package to set SSLCARevocationCheck directive to
'chain' when Apache 2.4 is installed. This ensures that the the
puppetmaster-passenger vhost respects CRL files in the same way that
Apache 2.2 does by default.
Apache 2.2

2 files changed, 23 insertions, 1 deletions

diff --git a/ext/debian/puppetmaster-passenger.postinst b/ext/debian/puppetmaster-passenger.postinst
index 2c9f20c3f..608ad409d 100644
--- a/ext/debian/puppetmaster-passenger.postinst
+++ b/ext/debian/puppetmaster-passenger.postinst
@@ -3,6 +3,7 @@
 set -e
 
 sitename="puppetmaster"
+apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
 
 # The debian provided a2* utils in Apache 2.4 uses "site name" as
 # argument, while the version in Apache 2.2 uses "file name".
@@ -14,7 +15,6 @@ sitename="puppetmaster"
 # This will end in tears…
 # Can be removed when we only support apache >= 2.4
 apache2_puppetmaster_sitename() {
-    apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
     if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
         echo "${sitename}.conf"
     else
@@ -49,6 +49,23 @@ update_vhost_for_passenger4() {
     fi
 }
 
+# In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
+# directives were specified then the specified file(s) would be checked when
+# establishing an SSL connection. Apache 2.4+ the SSLCARevocationCheck directive
+# was added to control how CRLs were checked when verifying a connection and had
+# a default value of none.  This means that Apache defaults to ignoring CRLs even
+# if paths are specified to CRL files.
+#
+# This function automatically uncomments the SSLCARevocationCheck directive when
+# the currently installed version of Apache is 2.4.
+update_vhost_for_apache24() {
+    if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
+        sed -r -i \
+            -e "/# SSLCARevocationCheck/s/# //" \
+        $tempfile
+    fi
+}
+
 if [ "$1" = "configure" ]; then
 
     # Change the owner of the rack config.ru to be the puppet user
@@ -90,6 +107,7 @@ if [ "$1" = "configure" ]; then
                 -e "s|<Directory /etc/puppet/rack/>|<Directory /usr/share/puppet/rack/puppetmasterd/>|" \
                 /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
             update_vhost_for_passenger4
+            update_vhost_for_apache24
             mv $tempfile "${APACHE2_SITE_FILE}"
         fi
 
diff --git a/ext/rack/example-passenger-vhost.conf b/ext/rack/example-passenger-vhost.conf
index c14f3cd98..7d40b9498 100644
--- a/ext/rack/example-passenger-vhost.conf
+++ b/ext/rack/example-passenger-vhost.conf
@@ -29,6 +29,10 @@ Listen 8140
         # If Apache complains about invalid signatures on the CRL, you can try disabling
         # CRL checking by commenting the next line, but this is not recommended.
         SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
+        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
+        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
+        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
+        # SSLCARevocationCheck chain
         SSLVerifyClient optional
         SSLVerifyDepth  1
         # The `ExportCertData` option is needed for agent certificate expiration warnings