-
Notifications
You must be signed in to change notification settings - Fork 24
(#550) intermediate certificate chains #552
(#550) intermediate certificate chains #552
Conversation
3418f3f
to
b2a3a45
Compare
d938068
to
6694922
Compare
@ripienaar tests added. Couldn't see that many spots where the difference was relevant. Trying to use Trying to batch them all up so that I could use SSL::StoreContext to verify didn't work either. |
6694922
to
4614590
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looking pretty good! few small thingys
4614590
to
d56fe2c
Compare
For bonus effort, this will also test SANs by moving the validation logic to openssl, instead of trying to parse the CN out of the subject. Contains ruby 2.4/2.5 compat for OpenSSL::SSL::Context depreciating the use of `extra_cert_chain` - the ruby shipped with puppet 5.X is behind a revision. Ruby's OpenSSL doesn't make this easy, which I suspect is more to do with OpenSSL than Ruby. There are alternatives which reduce some of this, like R509 but haven't investigated them yet. * Add intermediate certificate processing - hacky :( * Add intermediate chain certs * Add spec tests to validate intermediate chain handling * Add something to detect `/usr/bin/false` vs `/bin/false` because no one can agree where it goes.
d56fe2c
to
2614283
Compare
@ripienaar done. |
nicely done thanks, will do some testing next week! |
Hmm, guess there’s no spec tests around show_config? |
nah for the applications i generally cant be bothered writing tests |
Looks like I broker security/choria.rb too (at least the tests) when using the ruby choria server. |
Changing the method in choria-legacy#552, didn't notice it was being used elsewhere (and hidden by mocking) - broke use of it downstream in the security provider and in `mco choria show_config`. Fix use of methods.
@ripienaar fixed in #554 |
Changing the method in choria-legacy#552, didn't notice it was being used elsewhere (and hidden by mocking) - broke use of it downstream in the security provider and in `mco choria show_config`. Fix use of methods.
For bonus effort, this will also test SANs by moving the validation
logic to openssl, instead of trying to parse the CN out of the subject.
Contains ruby 2.4/2.5 compat for OpenSSL::SSL::Context depreciating the
use of
extra_cert_chain
- the ruby shipped with puppet 5.X is behinda revision.