Skip to content
This repository has been archived by the owner on Jan 4, 2021. It is now read-only.

(#550) intermediate certificate chains #552

Merged
merged 1 commit into from
Dec 16, 2018
Merged

(#550) intermediate certificate chains #552

merged 1 commit into from
Dec 16, 2018

Conversation

vjanelle
Copy link
Contributor

For bonus effort, this will also test SANs by moving the validation
logic to openssl, instead of trying to parse the CN out of the subject.

Contains ruby 2.4/2.5 compat for OpenSSL::SSL::Context depreciating the
use of extra_cert_chain - the ruby shipped with puppet 5.X is behind
a revision.

@vjanelle vjanelle force-pushed the support_intermediate_certs_and_san branch from 3418f3f to b2a3a45 Compare December 12, 2018 06:51
@vjanelle vjanelle force-pushed the support_intermediate_certs_and_san branch 2 times, most recently from d938068 to 6694922 Compare December 12, 2018 23:42
@vjanelle
Copy link
Contributor Author

@ripienaar tests added. Couldn't see that many spots where the difference was relevant.

Trying to use OpenSSL::X509::Store wasn't useful. Would've still ended up having to use the scan function to process/split the file. Basically there's now way to get a list of X509::Certificates out once it's been read in.

Trying to batch them all up so that I could use SSL::StoreContext to verify didn't work either.

@vjanelle vjanelle force-pushed the support_intermediate_certs_and_san branch from 6694922 to 4614590 Compare December 13, 2018 16:27
ripienaar
ripienaar suggested changes Dec 14, 2018
View reviewed changes
Copy link
Collaborator

@ripienaar ripienaar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking pretty good! few small thingys

lib/mcollective/util/choria.rb Outdated Show resolved Hide resolved
lib/mcollective/util/choria.rb Outdated Show resolved Hide resolved
lib/mcollective/util/choria.rb Outdated Show resolved Hide resolved
lib/mcollective/util/choria.rb Outdated Show resolved Hide resolved
lib/mcollective/util/choria.rb Outdated Show resolved Hide resolved
@vjanelle vjanelle force-pushed the support_intermediate_certs_and_san branch from 4614590 to d56fe2c Compare December 15, 2018 20:05
@vjanelle
(choria-legacy#550) intermediate certificate chains
2614283 
For bonus effort, this will also test SANs by moving the validation
logic to openssl, instead of trying to parse the CN out of the subject.

Contains ruby 2.4/2.5 compat for OpenSSL::SSL::Context depreciating the
use of `extra_cert_chain` - the ruby shipped with puppet 5.X is behind
a revision.

Ruby's OpenSSL doesn't make this easy, which I suspect is more to do
with OpenSSL than Ruby.  There are alternatives which reduce some of
this, like R509 but haven't investigated them yet.

* Add intermediate certificate processing - hacky :(
* Add intermediate chain certs
* Add spec tests to validate intermediate chain handling
* Add something to detect `/usr/bin/false` vs `/bin/false` because no one can agree where it goes.
@vjanelle vjanelle force-pushed the support_intermediate_certs_and_san branch from d56fe2c to 2614283 Compare December 15, 2018 20:07
@vjanelle
Copy link
Contributor Author

@ripienaar done.

@ripienaar ripienaar merged commit 9d44924 into choria-legacy:master Dec 16, 2018
@ripienaar
Copy link
Collaborator

nicely done thanks, will do some testing next week!

@ripienaar
Copy link
Collaborator

@vjanelle We have to update here too:

https://github.com/choria-io/mcollective-choria/blob/9d44924fb89614aa223d85a1abc1bab9e524a7c9/lib/mcollective/application/choria.rb#L191

@vjanelle
Copy link
Contributor Author

Hmm, guess there’s no spec tests around show_config?

@ripienaar
Copy link
Collaborator

nah for the applications i generally cant be bothered writing tests

@vjanelle
Copy link
Contributor Author

Looks like I broker security/choria.rb too (at least the tests) when using the ruby choria server.

@vjanelle vjanelle deleted the support_intermediate_certs_and_san branch December 17, 2018 21:21
vjanelle added a commit to vjanelle/mcollective-choria that referenced this pull request Dec 17, 2018
@vjanelle
(choria-legacy#550) ruby mcollective server security provider
ec9e5d1 
Changing the method in choria-legacy#552, didn't notice it was being used elsewhere
(and hidden by mocking) - broke use of it downstream in the security
provider and in `mco choria show_config`.  Fix use of methods.
@vjanelle vjanelle mentioned this pull request Dec 17, 2018
Merged
@vjanelle
Copy link
Contributor Author

@ripienaar fixed in #554

vjanelle added a commit to vjanelle/mcollective-choria that referenced this pull request Dec 17, 2018
@vjanelle
(choria-legacy#550) ruby mcollective server security provider
02c9e0c 
Changing the method in choria-legacy#552, didn't notice it was being used elsewhere
(and hidden by mocking) - broke use of it downstream in the security
provider and in `mco choria show_config`.  Fix use of methods.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ripienaar ripienaar ripienaar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@vjanelle @ripienaar