(maint) Only append to peer_certs if verify succeeded
64f28706bf9bUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(maint) Only append to peer_certs if verify succeeded

Previously, we assumed that verify_callback was only called once for each
cert in the chain, with preverify_ok set to true or false depending on
whether the cert is verified.

However, openssl call invoke the verify_callback for a number of other
reasons, e.g. CRL not yet valid. In that case, the error is not with
the current_cert, but with the current_crl.

This commit moves the logic for appending the current_cert to the
@peer_certs array only in the case that preverify_ok is true. Does not
cause problems, because we only looked at @peer_certs array if every
cert in the chain was successfully verified.

This commit makes it easier to handle other types of verify errors.

Details

Provenance

Josh Cooper <josh@puppetlabs.com>	Authored on
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPUade0e5002854: (maint) Correct parameter type from SSLContext to StoreContext

Branches

Unknown

Tags

Unknown

Event Timeline

Josh Cooper <josh@puppetlabs.com> committed rPU64f28706bf9b: (maint) Only append to peer_certs if verify succeeded (authored by Josh Cooper <josh@puppetlabs.com>).Sep 9 2014, 7:23 PM

Changes (1)

Path

Size

lib/

puppet/

ssl/

validator/

default_validator.rb

rPU64f28706bf9b

View Options

lib/puppet/ssl/validator/default_validator.rb

(maint) Only append to peer_certs if verify succeeded64f28706bf9bUnpublishedActions