Bug #1842
Net::HTTP#enable_post_connection_check doesn't work anymore
| Status: | Closed | Start: | 12/29/2008 | |
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assigned to: |  Jesse Wolfe |
% Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 0.25.5 | |||
| Affected version: | 0.24.8 | Branch: | http://github.com/jes5199/puppet/tree/ticket/0.25.x/1842 | |
| Keywords: | enable_post_connection_check | |||
| Votes: | 0 |
Description
one of the #896 bug fixing, adding http_enable_post_connection_check option against the requested host name in new versions of ruby (see revision 36c947, f94d6d).
However, below changelog can be found from ruby rpms:
ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes at trunk to enable the fix without any modifications on the users' scripts. Note that Net::HTTP#enable_post_connection_check isn’t available anymore. If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of.
Since HTTP#enable_post_connection_check isn’t avaiable anymore, but puppet doesn’t give the corresponding fix.
History
Updated by Luke Kanies over 1 year ago
- Status changed from Unreviewed to Needs design decision
If I’m reading this correctly, this is really bad. This is basically saying you have two choices: Verify both the certificate and that the hostname matches, or do no verification at all.
We currently support a third choice: Verify the certificate but not the hostname.
Am I reading this right?
Updated by Kevin Cai over 1 year ago
Yeah, that’s what we are facing. along with the new ruby version, we have to set certdnsnames in order to pass the ruby post-check.
Since the third choice we expected are not available now, I think we need to remove the enable_post_connection_check fix to avoid confusion.
Updated by Luke Kanies over 1 year ago
- Status changed from Needs design decision to Accepted
- Priority changed from Normal to High
caikevin wrote:
Yeah, that’s what we are facing. along with the new ruby version, we have to set certdnsnames in order to pass the ruby post-check.
Since the third choice we expected are not available now, I think we need to remove the enable_post_connection_check fix to avoid confusion.
I agree; unfortunate but true.
Updated by James Turnbull about 1 year ago
- Category set to SSL
- Status changed from Accepted to Needs design decision
- Assigned to set to Luke Kanies
Luke?
Updated by James Turnbull about 1 year ago
- Status changed from Needs design decision to Accepted
- Affected version changed from 0.24.7 to 0.24.8
Updated by Markus Roberts 7 months ago
- Status changed from Accepted to Investigating
- Assigned to changed from Luke Kanies to Jesse Wolfe
- Target version set to 0.25.3
Set to investigating, as this was reported on 0.24.8 and may have been fixed already.
Updated by Jesse Wolfe 7 months ago
- Status changed from Investigating to Accepted
We’re still setting this deprecated flag in 0.25.x
Updated by Jesse Wolfe 7 months ago
- Branch set to http://github.com/jes5199/puppet/tree/ticket/0.25.x/1842
Updated by Jesse Wolfe 7 months ago
- Status changed from Accepted to Ready for Testing
Updated by Markus Roberts 7 months ago
- Target version changed from 0.25.3 to 0.25.4
Updated by James Turnbull 7 months ago
- Target version changed from 0.25.4 to 0.25.3
Updated by James Turnbull 7 months ago
- Target version changed from 0.25.3 to 0.25.4
Updated by James Turnbull 7 months ago
- Target version changed from 0.25.4 to 0.25.5
Updated by James Turnbull 6 months ago
- Status changed from Ready for Testing to Closed
Pushed in commit:“b473264fe76f92b8eddeed7175c4283c9f8484d2” in branch 0.25.x