In Apache 2.4, SSLCARevocationCheck directive was added to mod_ssl,
which defaults it to none and must be explicitly configured. This
setting enables checking of a certificate revocation list. The default
Puppet master vhost config shipped with Puppet does not include this
setting. If a Puppet master is set up to run with Apache 2.4, and this
default vhost configuration file is used, the Puppet master will
continue to honor a host's certificate even after it is revoked.
Red Hat would like to thank Puppet Labs for reporting this issue.
Created attachment 899367 [details]
Created attachment 902402 [details]
revised upstream patch
(In reply to Murray McAllister from comment #6)
> Created attachment 902402 [details]
> revised upstream patch
A revision was not needed here. It is OK for it to be identical to the obsoleted patch.
This issue was fixed in upstream version Puppet 3.6.2.
Created puppet tracking bugs for this issue:
Affects: fedora-all [bug 1107897]
Not vulnerable. This issue did not affect the versions of puppet as shipped with Red Hat Subscription Asset Manager 1.3 as they did not include puppet-server.