puppet - [no description]

Age	Commit message (Collapse)	Author	Files	Lines
2013-05-16	(#20742) Handle DNs that cannot be parsed	Andrew Parker	1	-5/+23
	When no DN is sent in a RACK setup (passenger behind apache), the DN that the master sees for unauthenticated requests ends up being the string "(null)". The openssl name parsing functions do not handle data that doesn't look like a DN in a useful manner. If the string to be parsed as a DN does not contain an equals sign ("="), then it will fail with an error like: TypeError: can't convert nil into String # ./lib/puppet/util/ssl.rb:26:in `call' # ./lib/puppet/util/ssl.rb:26:in `block in subject_from_dn' # ./lib/puppet/util/ssl.rb:24:in `each' # ./lib/puppet/util/ssl.rb:24:in `subject_from_dn' This same code also would fail with a OpenSSL::X509::NameError if the parsed DN contained an unknown part (RDN), e.g. "no=yes". This commit fixes the malformed DN by checking that the DN contains at least an equals sign before trying to parse. It also then handles all OpenSSL::X509::NameError problems.
2013-05-16	(Maint) Give each test a meaningful name	Andrew Parker	1	-16/+39
	The tests being put all together did not provide any explanation about what was interesting about each situation. This obscures other interesting cases that may not be covered and also provides little to no specification to later developers who may need to know what the cases being handled are.
2013-03-27	(#15561) Extract CN from certificate subjects more carefully	Dustin J. Mitchell	1	-0/+51
	When using certificate chaning or otherwise generating SSL certificates outside of Puppet, the subject often has multiple components, e.g., CN=hostname.foo.com,O=Foo\, Inc.,OU=Marketing The hostname, which is later verified against a strict set of allowed characters, is only extracted from the "CN" field, with all of the other fields ignored. This uses OpenSSL::X509::Name to parse the DN's, allowing both rfc2253-formatted and openssl-formatted DNS, as seen from Apache and nginx, respectively.