Skip to content

Commit c8ad659

Browse files
Merge pull request #8829 from joshcooper/maint_openssl
(maint) ruby-openssl now sets store_context.error
2 parents d1bad44 + 838f9e0 commit c8ad659

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

lib/puppet/ssl/verifier.rb

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,12 @@ def call(preverify_ok, store_context)
115115
return false
116116
end
117117

118+
# ruby-openssl#74ef8c0cc56b840b772240f2ee2b0fc0aafa2743 now sets the
119+
# store_context error when the cert is mismatched
120+
when OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH
121+
@last_error = Puppet::SSL::CertMismatchError.new(peer_cert, @hostname)
122+
return false
123+
118124
when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
119125
crl = store_context.current_crl
120126
if crl && crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS

lib/puppet/util/monkey_patches.rb

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,12 @@ module OpenSSL::SSL
3939
end
4040
end
4141

42+
unless defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH)
43+
module OpenSSL::X509
44+
OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH = 0x3E
45+
end
46+
end
47+
4248
class OpenSSL::SSL::SSLContext
4349
if DEFAULT_PARAMS[:options]
4450
DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3

0 commit comments

Comments
 (0)