(PUP-894) Accept CRLs that were "recently" updated
76d485ddba97Unpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(PUP-894) Accept CRLs that were "recently" updated

Previously, the agent would reject an SSL connection if the CRL it
downloaded from the CA had a last_update time that was slightly in the
future. The agent reports this as "CRL is not yet valid." This issue can
happen when the CA's time is slightly ahead of the agent's time, the CRL
is recently updated, and the agent doesn't already have a cached version
of the CRL (due to PUP-2103).

The CRL not yet valid error sometimes happens during acceptance testing
when we delete the agent's ssl directory, revoke a cert on the master
(which updates the CRL's last_update field), and run the agent (which
downloads the latest CRL).

This commit modifies the verify callback to ignore CRL not yet valid
errors provided all of the following are true:

current_crl is not nil
current_crl.last_update is not nil
current_crl.last_update is strictly less than 5 minutes from now

It also adds specs around unspecified behavior, e.g. ensure the verify
callback returns false when errors are detected.

Details

Provenance

Josh Cooper <josh@puppetlabs.com>	Authored on
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU591bf862ed21: (PUP-894) Add specs for current bebavior

Branches

Unknown

Tags

Unknown

Event Timeline

Josh Cooper <josh@puppetlabs.com> committed rPU76d485ddba97: (PUP-894) Accept CRLs that were "recently" updated (authored by Josh Cooper <josh@puppetlabs.com>).Sep 10 2014, 3:09 AM

Changes (2)

Path

Size

lib/

puppet/

ssl/

validator/

default_validator.rb

spec/

unit/

ssl/

validator_spec.rb

rPU76d485ddba97

View Options

lib/puppet/ssl/validator/default_validator.rb